Hi !

Sorry, my English is a real disaster. :-(
Is it possible to recover a password in the database ?
I can only see a serie of 40 letters and numbers but not the password in
clear.

Thanks !
--
docanski

Portail et annuaire du nord-Bretagne : http://armorance.free.fr/
Guide des champignons d'Europe : http://mycorance.free.fr/
La vallée de la Rance maritime : http://valderance.free.fr/
Les côtes du nord de la Bretagne : http://docarmor.free.fr/

El 07/12/2011 17:22, docanski escribió/wrote:
No, it isn't. That's the exact purpose of not storing it in clear.

Can't you simply set a new one?

http://dev.mysql.com/doc/refman/5.5/...-password.html



--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--

�lvaro G. Vicario wrote:

Someone wants to 'recover' a password.

Why?


Either because its rightful owner cant get in, in which case a new
password is perfect, or because a wrongful owner cant get in...and dont
want to arouse the suspicions of the rightful owner..


BUT if one can see the database enough to get at the crypted passwords,
and reset them, one can of course get at any data in it.

Which leaves one final optio.

The user who has got unauthorised read only access to the encrypted user
data base...and ants to hack into someone's account.

On Dec 7, 12:07*pm, The Natural Philosopher <t... (AT) invalid (DOT) invalid>
wrote:


D.
One should NEVER be able to "recover" a password. you should only be
allowed to reset it provided you can guarantee that the rightful owner
is the one doing the requesting and providing an interface that can
verify the rightful owner.

I have an acquaintance that requested his password from a particular
institution that will remain nameless. They sent him his original
password in clear text via email. He closed his account the next
day. If you have ANY forum blog accounts etc... that send you your
original password in clear text, you should immediately close those
accounts.

On 12/7/2011 10:37 PM, onedbguru wrote:
What do you expect - them to send you your password encrypted?

Forcing a person to change his password because he forgot it is very
user unfriendly. People will just go to another site rather than have
to go through the hassle of resetting their password. That equates to
lost business.

While I would agree it would be necessary for sites such as banks, I
don't think it is for a lot of sites.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex (AT) attglobal (DOT) net
==================

On Dec 8, 8:38*am, Jerry Stuckle <jstuck... (AT) attglobal (DOT) net> wrote:
It may be user-unfriendly to you but is still very stupid to store it
in ANY manner that can actually be deciphered on ANY site. Yes I DO
expect that the password be reset/changed in the manner I described.
Let's face it, most users use the same username AND password on all of
their sites. Let's say that database is compromised, which generally
could also infer that their decipher key could also be compromised..
Now that you have access to everyone's account, those same accounts
may show up on other "more interesting" sites. You truly must think
about security ALL the time on ANY site on EVERY network and EVERY
system. Crackers/Hackers really like the attitudes you just espoused.

-- CISSP.

On 12/13/2011 9:20 PM, onedbguru wrote:
First of all, if someone uses the same password on multiple sites, that
isn't the site operator's problem.

Second, I'm not saying storing passwords so they can be decoded is
without risk. It isn't. However, if someone gets access to your
database and code, they can often also create a brute force attack to
break passwords. Very few sites which do hash passwords use very secure
algorithms, i.e. SHA256.

But my main contention is - maybe YOU don't mind generating a new
password. However, that is NOT true for the vast majority of people on
the internet. And unfriendly user interfaces mean lost sales - which is
directly related to lost income.

There are ways to store passwords so they can be decrypted, yet are
secure. I'm not going to go into them here because they are off-topic
in this newsgroup. But protection can be had.

And since this is off-topic, this is the last I'll say on this subject.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex (AT) attglobal (DOT) net
==================

On Dec 13, 10:21*pm, Jerry Stuckle <jstuck... (AT) attglobal (DOT) net> wrote:
But, wouldn't you agree that at some point they would come to
appreciate the fact that they did not have other things hacked because
this compromised site did it right? In the case I stated above, they
DID lose business because they DID do it wrong and it cost them a LOT
of $$K.


I do not consider the discussion of database and user security off-
topic. It is up to the DBA's and developers to START with security
both at the application and database layers to ensure both the
security of the user AND the system.

"onedbguru" <onedbguru (AT) yahoo (DOT) com> wrote

You both have a point.

Firstly, Jerry is quite right when he says there are ways to store passwords
security so they can be decrypted. The only wrong way to store them is as
plain text.

As for whether or not when you loose your password you want the website to
email you your current one or generate a new one, there are pros and cons of
both so you are probably down to individual preferences and style. I'd tend
to side with Jerry on this one but do acknowledge that having your password
in a plain text email isn't very secure. One of the best sites I've seen in
this respect (IMO) is the (UK) government gateway - if you forget your
password and can answer some basic security questions then it displays half
of your existing password on screen and emails you the other half.
--
Brian Cryer
http://www.cryer.co.uk/brian