I have a database with roughly 4,000 members. I need to decrypt all their passwords so that I may re-encrypt them using MD5 and put into a new system. I have one account with before encryption and after encryption password strings so with this I assume I should be able to figure out a method and key range. I do not have access to the original source code or I would not be here.
I should mention that existing passwords vary dramatically.
User1 – qwDyP1db9iOPI
User2 – $1$.WXtDyLg$yxBPAWxzd.srEWJZfqZAY/
User3 – do8sLMoVVqxKQ
User4 – TKmnAlPe
How do I approach such a problem?
Typically, you can’t decrypt the passwords, because the passwords are not stored. What you are seeing is hashes of the password – there’s no efficient way to find a password that matches a particular hash.
You can either force everyone to change their password once you have the configuration changed to use MD5 hashing, or you can generate new temporary passwords for everyone to get all the hashes replaced at once, but then they should all change them again anyway.
Those look like they probably came from Linux (the one that starts with $1$ is already an MD5 hash, the others look like the older
crypt()DES variant style).That’s not always the case when dealing with application passwords – for example, some databases use considerably weaker credential storage – but Unix/Linux flavors have not stored actual passwords for a very long time, if ever.