Justs Posted June 13, 2011 Share Posted June 13, 2011 hello is there any way to make a way to make the users (new&old) passwords plaintext thank you Link to comment Share on other sites More sharing options...
germ Posted June 13, 2011 Share Posted June 13, 2011 The passwords are "hashed" not "encrypted" so there is (for all pracitcal purposes) no way to retrieve existing passwords. On a new shop you could theoretically remove the hash process. On an exisitng install everyone would lose their password if you were to implement plain text passwords. But the whole idea (plain text paswords) just isn't a very good one at all. They're made the way they are to be "secure". If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
npn2531 Posted June 13, 2011 Share Posted June 13, 2011 If you need the password to simply access your customers account, for example to sign on as that customer using their email, you can do that with the following contributions. They create a single master password that works for all customers. http://addons.oscommerce.com/info/2180 http://addons.oscommerce.com/info/8023 Oscommerce site: OSC to CSS, http://addons.oscommerce.com/info/7263 -Mail Manager, http://addons.oscommerce.com/info/8120 Link to comment Share on other sites More sharing options...
Justs Posted June 13, 2011 Author Share Posted June 13, 2011 The passwords are "hashed" not "encrypted" so there is (for all pracitcal purposes) no way to retrieve existing passwords. On a new shop you could theoretically remove the hash process. On an exisitng install everyone would lose their password if you were to implement plain text passwords. But the whole idea (plain text paswords) just isn't a very good one at all. They're made the way they are to be "secure". what about a way to change the user password if he login or registry ? Link to comment Share on other sites More sharing options...
Justs Posted June 14, 2011 Author Share Posted June 14, 2011 i know for sure there's a way, because one of php programmer said he wil do it for $$ , and i don't like to pay for free staff this is already free project and open-source, and i aware of the risk Link to comment Share on other sites More sharing options...
Guest Posted June 14, 2011 Share Posted June 14, 2011 Ben, You could update Admin Change Password to work with v2.3.1 Chris Link to comment Share on other sites More sharing options...
Justs Posted June 14, 2011 Author Share Posted June 14, 2011 Ben, You could update Admin Change Password to work with v2.3.1 Chris i already know that addon but i want the be the passwords plaintext not md5 hashed at all Link to comment Share on other sites More sharing options...
burt Posted June 14, 2011 Share Posted June 14, 2011 Don't get "free" and "open source" mixed up. they have nothing to do with each other. If you found a programmer who can change the hashed passwords to their plain equivalent, he is worth a -lot- of cash. I say changing the decrypting the hashed passwords is not possible unless you are the NSA. Easy solution; 1. strip out the hashing input on account creation 2. strip out the hashing checks on login 3. strip out the hashing input on change of password that's it. All new customers passwords will go in as plaintext. All existing customers (prior to the change) will be required to use "password forgotten" when they next try to login as their hashed password will not match the login check input That's the extent of my input into this conversation, as making passwords plain text is asking for trouble (in my opinion). Link to comment Share on other sites More sharing options...
Guest Posted June 14, 2011 Share Posted June 14, 2011 Ben, As Jim originally posted, passwords are hashed to protect your customers accounts. Removing the hashing would jeopardize the customers personal information. I personally would NEVER create an account on a website that stated passwords are plain text and viewable to the store owner. IF you did remove the hashing you would be obligated to post that in your privacy policy, which would make your website unappealing to MANY potential customers. Chris Link to comment Share on other sites More sharing options...
Justs Posted June 14, 2011 Author Share Posted June 14, 2011 Don't get "free" and "open source" mixed up. they have nothing to do with each other. If you found a programmer who can change the hashed passwords to their plain equivalent, he is worth a -lot- of cash. I say changing the decrypting the hashed passwords is not possible unless you are the NSA. Easy solution; 1. strip out the hashing input on account creation 2. strip out the hashing checks on login 3. strip out the hashing input on change of password that's it. All new customers passwords will go in as plaintext. All existing customers (prior to the change) will be required to use "password forgotten" when they next try to login as their hashed password will not match the login check input That's the extent of my input into this conversation, as making passwords plain text is asking for trouble (in my opinion). im not looking to crack there password , im just looking for a way to make password_funcs.php off, not encrypting password. and i am aware of the risk and what im doing Link to comment Share on other sites More sharing options...
germ Posted June 14, 2011 Share Posted June 14, 2011 im not looking to crack there password , im just looking for a way to make password_funcs.php off, not encrypting password. and i am aware of the risk and what im doing Did you ever get the feeling you're not going to get a lot of help in accomplishing what you want? At least not publicly anyway. :unsure: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
burt Posted June 14, 2011 Share Posted June 14, 2011 Ho hum, I said I wouldn't post anymore on this thread, but here I am :( What part of this: 1. strip out the hashing input on account creation2. strip out the hashing checks on login 3. strip out the hashing input on change of password is difficult? You need to find that stuff and strip it out, which means making an effort to find it and knowing a tiny bit of PHP to make it happen. Or did you want someone to do that for you? If so, someone might. They might also do your washing up. Link to comment Share on other sites More sharing options...
NodsDorf Posted June 14, 2011 Share Posted June 14, 2011 Usually if you ask for ways to circumvent security you are throwing up a red flag to me. While that may not be your intention, without stating exactly what your purpose of the request is there is little desire to help you. Now if you have a legitimate reason for having your passwords as plain text, like lets say you want to be able to tell a users what their password is, then there are suggestions we can make to accomplish the same thing without compromising your websites security and IN MY OPINION integrity. That example however, is already answered above with using master password. This would allow you to login to the customers account change their password and tell them what you changed it to. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.