L2JDB: table ACCOUNTS: field PASSWORD

[rehtafdog]

L2J Revision Number:2939
L2JDP Revision Number:5984

does anybody know wich algorithm(s) is(are) used to encrypt passwords in db?

[janiii]

Code: Select all

base64_encode(pack('H*', sha1($pwd)))

[rehtafdog]

Code: Select all

base64_encode(pack('H*', sha1($pwd)))

so... what would the inverse function be for that?... cant find anything about sha1() func

[Reimu]

Code: Select all

<?phpfunction l2j_encrypt ($pass){    return base64_encode(pack("H*", sha1(utf8_encode($pass))));}?>

[momo61]

would be good to know how to see the pw

[Reimu]

To hack sha1 u must compute 2^64 operations ) Over 5 000 000 000 yers of calculations :D

[rehtafdog]

To hack sha1 u must compute 2^64 operations ) Over 5 000 000 000 yers of calculations

so by the time it's been hacked would be obsolet...
not imposible ... but worthless to try

[Vapulabe]

Yes, that's why hashing algorithms are used... They provide a way to check the password but no way to recover it. Same system is used in forums (sometimes SHA, sometimes MD5), that's why you can't recover the password but only change it...

MD5 has been successfully attacked. That don't mean that it has become worthless, attacking it still require lots of computer power, but you can't use it anymore for critical tasks.

By the way, hashing algorithms lose information, which means that several messages may lead to the same digest. The attack agains these algorithms are twofold : creating two messages with the same digest or creating a new message with a given digest. The first problem is easier to solve using the "anniversary attack". In short, take 50 people, you've more than 90% chance that two people have the same anniversary (although there are 365 days in a year). The second problem is more tricky as you've to do more computation before you can get a valid answer.

[ThePhoenixBird]

You may use a Quantic Computer to try to hack it in 10 mins or so.

[MELERIX]

or: http://www.freerainbowtables.com/

[Reimu]

With dictionary of commonly used stupid user passwords in can take 1 sec or so )

[lhw]

You can use unpack() and base64_decode in php to get the raw sha1 hash again though as mentioned before it would take a hell lot of proccessing power to get the plain password again, as you have to check for collisions.

Some years ago sha1 has been broken (http://www.schneier.com/blog/archives/2 ... roken.html). Today it would still take a large budget to calculate the hashes though.