crypt

Anon

I've recently been put in charge of a project
where I need to decrypt passwords stored in our database which are encrypted using the crypt() function.
And I'm confused. I was under the assumption that is no way to decrypt the passwords, as crypt uses a one time algorithm.

But, I've been told that there is a way to decrypt the passwords as the person who previously worked on the project was able to do so (who's no loger with us). This would seem true, as the code below seems to produce the same result everytime the same input string is used.

Here is the code used to encrypt the password.

$pass = substr (crypt (substr (crypt ($user_password, "9z"), 2), "9z"), 2);

If I entered in $user_password="testing";

it will result in $pass = 8h0rX7tYMVQ everytime the script is executed.

Can anyone help me work out an algorithm to do decrypt the passwords.

Thanks.

Anon

You are correct. crypt() does use an one-time algorithm. What you will need to do is when an user enters in a password, you compare the crypted passwords. That is what I have been told by others and it should work with most all needs. Let me know how that will work for you.

Anon

It's not possible to decrypt a crypted string - that's the whole point of crypt(). It generates a random-looking string based on a string input - but it's not random at all. crypt($some_string) will always return the same value (provided that $some_string is the same each time).

The only use I've seen for crypt() is to store passwords as crypted strings. That way, the real password can never be retrieved from the database, but when a user enters a password it's simple enough to check against the database.

-Keegan

Anon

Have you read <i>Surely You're Joking, Mr. Feinman</i> or are otherwise aware of Feinman's safe-cracking activities when he was at Los Alamos? The relevance is, your dearly-departed password cracker may have done so more in myth than in actuality.

Yes, there is no way to decrypt the crypted passwords; you have to mount a cryptographic attach, which is quite another matter.

Anon

You COULD decrypt (rather, crack) the password. Just a matter of time and computing resources using software like md5crack or John the ripper. It\'s getting more pratical to crack a DES/MD5 password within hours/days with distributed attacks.
Also, mcrypt library gives you 2-way encrypt and decrypt the password.