Is it Possible to Decrypt customers passwords?

[mani313]

hi there,

 

 i want to search customers whose password has less than six characters. so i need to decrypt their password right?

 

is it possible?

 

 

thanks in advance

[Dh42]

Not easily, no. Not ethically either. I wouldn't worry about it personally. 

[mani313]

but its encrypted with md5 hash right. cant we get pass string ?

 

or anyother soln for my ques?

 

filter customers who has less than six digit password.

[Dh42]

It is encrypted by a salted md5 hash. 

 

I think your are missing the point. If a store ever did that to me, I would never buy a product from them again. You are un-encrypting their passwords which they more than likely use for other services. 

[vekia]

it is possible, but... it's not easy (read: md5 is now broken!)

in prestashop is almost impossible to easily decrypt passwords, mainly because passwords are hashed with salt

[parsifal]

mani313, what you're asking is practically unfeasible.

 

Hash functions/algorithms like MD5 produce a fixed length output, regardless of the input's length. In other words, the length of a hashed password string gives no indication for the length of the original password string. Not to mention the "lossy" factor (original input data is lost).

 

These kinds of checks should be done before a password is created or updated in the database, not after. Ideally, with a combination of some appropriate client-side JS scripts and server-side PHP scripts.

Edited September 16, 2013 by parsifal (see edit history)

[mani313]

It is encrypted by a salted md5 hash. 

 

I think your are missing the point. If a store ever did that to me, I would never buy a product from them again. You are un-encrypting their passwords which they more than likely use for other services. 

yes it of course! the actual need for decrypting is to powerful the security.

 

we want to make sure all customer who must have six digit password. so we should send an alert for them to secure pass (only who has less than six digit) 

so how do i get resolved this?

 

thanks in adv

Edited September 16, 2013 by mani313 (see edit history)

[parsifal]

The only practical way I see is:

 

1. Enforce a password min. length prerequisite from now on (at the end of my previous post, I hinted at this)

2. Send a message to all your existing customers about the need to update their password, if they have one that does not meet the prerequisite

 

If you don't mind a more aggressive approach, you could additionally require a password change upon next login for all customers with passwords that don't meet the min. length.

Edited September 16, 2013 by parsifal (see edit history)

[mani313]

The only practical way I see is:

 

1. Enforce a password min. length prerequisite from now on (at the end of my previous post, I hinted at this)

2. Send a message to all your existing customers about the need to update their password, if they have one that does not meet the prerequisite

 

If you don't mind a more aggressive approach, you could additionally require a password change upon next login for all customers with passwords that don't meet the min. length.

okay thanks parsifal. the last sugesstion is good for me.

is it possible check length of success password (i.e., entered correct password) before or after login.

 

thanks in adv