password encription

system · August 20, 2013, 3:43pm

Hello
One of my friend wrote the code like this for registration
[php]$this->db->query(“INSERT INTO " . DB_PREFIX . "user SET username = '” . $this->db->escape($data[‘username’]) . “’, salt = '” . $this->db->escape($salt = substr(md5(uniqid(rand(), true)), 0, 9)) . “’, password = '” . $this->db->escape(sha1($salt . sha1($salt . sha1($data[‘password’])))) . “’, firstname = '” . $this->db->escape($data[‘firstname’]) . “’, lastname = '” . $this->db->escape($data[‘lastname’]) . “’, email = '” . $this->db->escape($data[‘email’]) . “’, user_group_id = '” . (int)$data[‘user_group_id’] . “’, status = '” . (int)$data[‘status’] . “’, date_added = NOW()”);[/php]

It store the database like this
[php]INSERT INTO oc_user VALUES (1,1,‘admin’,‘a7008174afb39f4d72eddc4d06e1d4da’,‘97a7dba28’,’’,’’,‘[email protected]’,’’,‘122.169.212.99’,1,‘2013-05-31 00:18:46’);
INSERT INTO oc_user VALUES (2,10,‘ProductEntry’,‘16be018b98f6cfd7d4ba3db23b86bbfc818c4d5e’,‘c349b9778’,‘Prod1’,‘Entry1’,‘[email protected]’,’’,‘183.82.210.69’,1,‘2013-06-10 08:44:36’);[/php]

And it will retriving like this

[php]$query1 = $this->db->query(“SELECT username, password FROM oc_user WHERE username = '” . $this->db->escape($username) . “’ AND (password = SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1(’” . $this->db->escape($password) . “’))))) OR password = '” . $this->db->escape(md5($password)) . “’) AND status = ‘1’”);[/php]

Please tell me password for the above details

phphelp · August 20, 2013, 5:48pm

You will never know the password, since it’s encrypted…

What happens is the user selects the de-cryption key as the password. So without the users (decryption Key) his password you can’t decrypt whats in the database.

Most places do this now, storing real passwords is a security risk… That’s why at most places when you forget your password, you have to reset it, it won’t show you what your old password was, because they don’t know either.

sebrenauld · August 25, 2013, 5:08pm

This is partly incorrect. The password was hashed, not encrypted. There is no “decryption key”

As seen in the snippet (sha1($salt . sha1($salt . sha1($data[‘password’])))), the hashing algo used is SHA1(SALT . SHA1(SALT . SHA1(password))), which, sadly, is not a common format. You may want to try your hand on a few rainbow tables just in case something interesting comes up.

Otherwise, you’re stuck brute-forcing them. If you have a computer with a couple of NVidia graphics cards, I’d strongly recommend finding a tool like cudaHashCat that will allow you to do the brute-force.