password recovery

[javaprogrammer]

hi people,

I will make use of the mysql database from yabb se for verify of use of applications on my server. The problem is that te passwords in the db_members table are encrypted..is there a possibility to decrypt the passwords ??

information about that project:
I am creating a gameserver for school this server will make use of the database to verify users and passwords. if the are matching the user can login

[John R]

sorry, but encryption is a one-way street and not reverseable.  The way YaBB SE handles this is to assign a new password.

cheers............

[Mach8]

If you want your site to share users with the forum, then just use the same login/logout functions found in the appropriate file within the Sources directory. If you want to be able to see what the passwords are then you'll have to remove any routines from YaBB SE that encrypt the passwords, then reset everyone's password.

[David]

And the encryption method is

Code Select Expand

$encryptedpass = crypt($passwrd, substr($passwrd, 0, 2));


[WedgeAntilles250]

I thought the password encryption was based on MD5.

[Mike Bobbitt]

This doesn't appear to be true in 1.5.3... There are references to a "double MD5" hashing scheme there.

I have a photo gallery script that used to work with YaBB SE passwords, but now doesn't. I'd love to see an explaination of how passwords are hashed, so I can replicate that in my Perl album.

I've seen the md5_hmac routine in Load.php, which looks like it's doing proper Hashed Message Authentication Code processing, and I've seen that the seed is either $user (lower case) or "ys". But I'm not sure a) if md5_hmac is called multiple times (see double MD5 reference above) or b) what the seed is when called (when is it $user and when is it 'ys'? and what is $user set to?).

I've done some tinkering (http://perl.bobbitt.ca/test/md5.php) but can't regen the hashed password stored in the YaBB SE database.

Anyone have any hints?

I'd be glad to post Perl code once this is figured out.

Thanks

[David]

Take a look at this.
http://www.yabbse.org/community/attachments/irc_auth.txt

[Mike Bobbitt]

Thanks, that looks like the info I needed!

Cheers

[Mike Bobbitt]

As promised, here's the Perl code for anyone who's interested:

Code Select Expand

# YaBB SE "double" MD5 HMAC
# Check to see if we can load the package
eval
{
   use Digest::HMAC_MD5  qw(hmac_md5_hex);
};

# If not, throw a warning
if ($@)
{
   print "Could not import Digest::HMAC_MD5 (hmac_md5_hex) ($@). Continuing anyway...<br />";
}

eval { $passcheck=hmac_md5_hex($storedpass,$::username); };

print "--> Trying hmac_md5_hex hashed cookie password: $passcheck (key: $storedpass - $::username).";
if ($passcheck eq $mypassword)
{
   print "--> It's a match!";
   return($passcheck);
}
else
{
   print "--> Does not match, I give up!!";
}


Now for my next trick, I want to use YaBB SE cookies. I can see a large blob that looks like a hashed password, but am not sure how *that* gets generated. I'm guessing it's some sort of a hash of the hash stored in the DB...

Anyone have an idea on that?

Thanks!