The developer who created a platform my company uses is no longer working for us and I don\'t know how I can retrieve the passwords from a custom PHP application
Wh
You can't decrypt password in mysql, because password is hashed by using md5 hash algorithm, which is not an encoding algorithm.
With luck, if the original developer was any good, you will not be able to get the plain text out. I say "luck" otherwise you probably have an insecure system.
For the admin passwords, as you have the code, you should be able to create hashed passwords from a known plain text such that you can take control of the application. Follow the algorithm used by the original developer.
If they were not salted and hashed, then make sure you do apply this as 'best practice'
Simply best way from linux server
sudo mysql --defaults-file=/etc/mysql/debian.cnf -e 'use mysql;UPDATE user SET password=PASSWORD("snippetbucket-technologies") WHERE user="root";FLUSH PRIVILEGES;'
This way work for any linux server, I had 100% sure on Debian and Ubuntu you win.
If a proper encryption method was used, it's not going to be possible to easily retrieve them.
Just reset them with new passwords.
Edit: The string looks like it is using PASSWORD():
UPDATE user SET password = PASSWORD("newpassword");
How can I decrypt MySQL passwords
You can't really because they are hashed and not encrypted.
Here's the essence of the PASSWORD
function that current MySQL uses. You can execute it from the sql terminal:
mysql> SELECT SHA1(UNHEX(SHA1("password")));
+------------------------------------------+
| SHA1(UNHEX(SHA1("password"))) |
+------------------------------------------+
| 2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 |
+------------------------------------------+
1 row in set (0.00 sec)
How can I change or retrieve these?
If you are having trouble logging in on a debian or ubuntu system, first try this (thanks to tohuwawohu at https://askubuntu.com/questions/120718/cant-log-to-mysql):
$ sudo cat /etc/mysql/debian.conf | grep -i password
...
password: QWERTY12345...
Then, log in with the debian maintenance user:
$ mysql -u debian-sys-maint -p
password:
Finally, change the user's password:
mysql> UPDATE mysql.user SET Password=PASSWORD('new password') WHERE User='root';
mysql> FLUSH PRIVILEGES;
mysql> quit;
When I look in the PHPmyAdmin the passwords are encrypted
Related, if you need to dump the user database for the relevant information, try:
mysql> SELECT User,Host,Password FROM mysql.user;
+------------------+-----------+----------------------+
| User | Host | Password |
+------------------+-----------+----------------------+
| root | localhost | *0123456789ABCDEF... |
| root | 127.0.0.1 | *0123456789ABCDEF... |
| root | ::1 | *0123456789ABCDEF... |
| debian-sys-maint | localhost | *ABCDEF0123456789... |
+------------------+-----------+----------------------+
And yes, those passwords are NOT salted. So an attacker can prebuild the tables and apply them to all MySQL installations. In addition, the adversary can learn which users have the same passwords.
Needles to say, the folks at mySQL are not following best practices. John Steven did an excellent paper on Password Storage Best Practice at OWASP's Password Storage Cheat Sheet. In fairness to the MySQL folks, they may be doing it because of pain points in the architecture, design or implementation (I simply don't know).
If you use the PASSWORD
and UPDATE
commands and the change does not work, then see http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html. Even though the page is named "resetting permissions", its really about how to change a password. (Its befuddling the MySQL password change procedure is so broken that you have to jump through the hoops, but it is what it is).
Hashing is a one-way process but using a password-list you can regenerate the hashes and compare to the stored hash to 'crack' the password.
This site https://crackstation.net/ attempts to do this for you - run through passwords lists and tell you the cleartext password based on your hash.