Years ago, I downloaded a php based forum and later did a db dump of the members, data etc and let the forum lapse. I no longer have the php.
I’m now trying to resurrect the data from the dump, but can’t work out how the passwords were hashed. My guess was md5 (the only one I’ve used under php) but that doesn’t work on the only pw that I know.
testPw is stored as v41nfXS65PI2w
But the md5 hash of testPw is a8b6d2a13adfc99d86dc11ac5c507692
I also tried sha1(testPw) which gave me: 7d84db30b30c1bf3b947e8c78e79821342d81ee9
Can anyone suggest what was used to get v41nfXS65PI2w from testPw ?
I only want to go from the pw to the hash, so I can check login credentials, I’m not trying to go from hash to pw!
Thanks,
Thanks
If it is using a salt and only saving the first 13 characters then either MD5 or SHA1 could be being used to create that hash.
If it is using a salt then you are not going to get anywhere with the hashes unless you know what the salt is as without it there will be no way to match the password to the hash.
Was it an open source script or was it one that you had customised specifically for your use? If the former then looking at what options the current version of the script has may provide clues since it would probably still support the option you used. If it was a custom script then you might try contacting whoever wrote it for you.
Did you try MD4 - I think it produces a shorter hash than MD5.
Thanks Steven, for taking the time, I’ve noticed over the years that you are consistently helpful!
Well, if I try
$MD4hash=md4(testPw);
echo "<br>The MD4 hash is: ".$MD4hash;
I’m told: Fatal error: Call to undefined function md4() in /media/sharedNTFS/htdocs/testHash.php on line 9
but if I do: print_r(hash_algos()); I’m told:
Array ( [0] => md2 [1] => md4 [2] => md5 [3] => sha1 [4] => sha256 [5] => sha384 [6] => sha512 [7] => ripemd128 [8] => ripemd160 [9] => ripemd256 [10] => ripemd320 [11] => whirlpool [12] => tiger128,3 [13] => tiger160,3 [14] => tiger192,3 [15] => tiger128,4 [16] => tiger160,4 [17] => tiger192,4 [18] => snefru [19] => gost [20] => adler32 [21] => crc32 [22] => crc32b [23] => haval128,3 [24] => haval160,3 [25] => haval192,3 [26] => haval224,3 [27] => haval256,3 [28] => haval128,4 [29] => haval160,4 [30] => haval192,4 [31] => haval224,4 [32] => haval256,4 [33] => haval128,5 [34] => haval160,5 [35] => haval192,5 [36] => haval224,5 [37] => haval256,5 )
So md4() should be available… Why not is more of a PHP question than a web security question though…
I suspect that there probably was a salt used, I don’t even recall what forum it was, might actually have been perl based back then…:mad:
That list is supposed to work with the hash() function: PHP: hash - Manual
So, you use something like:
hash(‘md4’,‘mypass’);
Aaaah… Thanks…
But… sha1() and md5() don’t…?
They are the most commonly used ones so a shorter way to access them is provided.