Forum OpenACS Q&A: Decode passwords

Collapse
1: Decode passwords
Posted by Denis Roy on 06/30/03 05:22 PM
Is there a way to decode passwords which are stored ns_sha1-encrypted in the database?

I want to create IMAP mailboxes for users with the same password as in OACS but this seems to be difficult without being able to decode the password.

Unfortunately, I guess this is exactly the reason why the password gets encrypted in the first place but maybe there is a way around it.

Collapse
2: Re: Decode passwords (response to 1)
Posted by David Cotter on 06/30/03 06:00 PM
I think sha1 is a one way hash function so there's no way to get the original from the hash.
Collapse
3: Re: Decode passwords (response to 1)
Posted by russ m on 07/02/03 02:28 AM

the "password" stored in the database is a sha-1 ("Secure Hash Algorithm") hash of the actual password and a random token... if you're able to reverse that hash there's probably a very nicely paying job waiting for you at the NSA... :)

this is one of the things I don't like about the "all passwords are encrypted in the database" approach - there are authentication schemes that require the server to know the plaintext password, and we're not able to use any of them... I've been meaning to put together a patch to make "encrypt passwords in the database" a configurable parameter for the site like it used to be in the ACS-3 days... in my copious free time... :)

In the meantime, one way of handling your need here is to require users to enter their password to "enable" the IMAP mailbox - check the password against the DB, and if it's right then store the plaintext they entered somewhere for IMAP authentication... you'll also need to patch ad_change_password to keep your plaintext in sync with the encrypted ones when users change their passwords...

cheers

russell

Collapse
4: Re: Decode passwords (response to 1)
Posted by Oscar Bonilla on 07/04/03 06:04 PM
If you just want your users to have the same password in OpenACS and in IMAP and not have them automatically login from OpenACS to IMAP, you can just use the SHA encoded password with an IMAP that supports SHA encoded passwords.

For instance, I keep the encrypted password in the database and when a user changes a password the encrypted password is copied to an LDAP server which is used by IMAP to authenticate. Thus, the user has the same password in the email server and in OpenACS.

Regards,

-Oscar