Page 1 of 1
L2JDB: table ACCOUNTS: field PASSWORD
Posted: Wed Apr 29, 2009 8:02 pm
by rehtafdog
L2J Revision Number:2939
L2JDP Revision Number:5984
does anybody know wich algorithm(s) is(are) used to encrypt passwords in db?
Re: L2JDB: table ACCOUNTS: field PASSWORD
Posted: Wed Apr 29, 2009 8:09 pm
by janiii
Code: Select all
base64_encode(pack('H*', sha1($pwd)))
Re: L2JDB: table ACCOUNTS: field PASSWORD
Posted: Wed Apr 29, 2009 9:26 pm
by rehtafdog
janiii wrote:Code: Select all
base64_encode(pack('H*', sha1($pwd)))
so... what would the inverse function be for that?... cant find anything about sha1() func
Re: L2JDB: table ACCOUNTS: field PASSWORD
Posted: Wed Apr 29, 2009 9:29 pm
by Reimu
Code: Select all
<?phpfunction l2j_encrypt ($pass){ return base64_encode(pack("H*", sha1(utf8_encode($pass))));}?>
Re: L2JDB: table ACCOUNTS: field PASSWORD
Posted: Wed Apr 29, 2009 10:22 pm
by momo61
would be good to know how to see the pw
Re: L2JDB: table ACCOUNTS: field PASSWORD
Posted: Wed Apr 29, 2009 10:27 pm
by Reimu
To hack sha1 u must compute 2^64 operations ) Over 5 000 000 000 yers of calculations :D
Re: L2JDB: table ACCOUNTS: field PASSWORD
Posted: Sun May 03, 2009 8:13 am
by rehtafdog
Re: L2JDB: table ACCOUNTS: field PASSWORD
Posted: Sun May 03, 2009 9:04 am
by Vapulabe
Yes, that's why hashing algorithms are used... They provide a way to check the password but no way to recover it. Same system is used in forums (sometimes SHA, sometimes MD5), that's why you can't recover the password but only change it...
MD5 has been successfully attacked. That don't mean that it has become worthless, attacking it still require lots of computer power, but you can't use it anymore for critical tasks.
By the way, hashing algorithms lose information, which means that several messages may lead to the same digest. The attack agains these algorithms are twofold : creating two messages with the same digest or creating a new message with a given digest. The first problem is easier to solve using the "anniversary attack". In short, take 50 people, you've more than 90% chance that two people have the same anniversary (although there are 365 days in a year). The second problem is more tricky as you've to do more computation before you can get a valid answer.
Re: L2JDB: table ACCOUNTS: field PASSWORD
Posted: Sun May 03, 2009 8:44 pm
by ThePhoenixBird
You may use a Quantic Computer to try to hack it in 10 mins or so.
Re: L2JDB: table ACCOUNTS: field PASSWORD
Posted: Sun May 03, 2009 9:06 pm
by MELERIX
Re: L2JDB: table ACCOUNTS: field PASSWORD
Posted: Mon May 04, 2009 12:27 am
by Reimu
With dictionary of commonly used stupid user passwords in can take 1 sec or so )
Re: L2JDB: table ACCOUNTS: field PASSWORD
Posted: Tue May 05, 2009 1:10 pm
by lhw
You can use unpack() and base64_decode in php to get the raw sha1 hash again though as mentioned before it would take a hell lot of proccessing power to get the plain password again, as you have to check for collisions.
Some years ago sha1 has been broken (
http://www.schneier.com/blog/archives/2 ... roken.html). Today it would still take a large budget to calculate the hashes though.
