How can this be? Change your passes...
 

Hi

I just noticed something......that really SHOULDNT be done.

Why is my PA password NOT encrypted in the database?

Thats a NO NO NO in Coding..........................................

an angry Lockhead

Re: How can this be? Change your passes...
 

And you know its not encrypted how?

Re: How can this be? Change your passes...
 

Use the "Email Password" feature...

You get your real pass back, not a new one.

md5 cant be de-encrypted.

Re: How can this be? Change your passes...
 

Maybe they use a decryptable method. ;)
But most probably, you are right. Don't use your CC number as password :D

Re: How can this be? Change your passes...
 

Many sites allow you to retrieve your password, this doesnt mean they arr stored unencrypted. Take Amazon for example, do you really think they take major risks with security when its a simple solution, no they dont but guess what you can retrieve your password still.

md5 is not the only encryption algorithm out there and there are many out there that use key systems to allow for the information to be decrypted for those whom have the right credentials.

oh and md5 can be decrypted btw, if it hasnt been cracked yet that doesnt mean it cant be because anything thats done to encrypt something can be reversed. Assuming that an encryption method is perfectly sound and secure is as much of a development no no as leaving the password field unencrypted

Re: How can this be? Change your passes...
 

You cannot decrypt a hash. MD5 generates a 32-Byte hash out of any datastream, no matter how long it is.
You can find datastreams with identical hashes, though, that is called collision attack. And MD5 is vulnerable to those.

Re: How can this be? Change your passes...
 

theres a mysql Encrypt() function which can retrieve it, or there could be a seperate algorithm to encode it.
Ive not seen the code so i have no idea which is in effect, if any but there are several ways it could be encrypted and still be retrievable

Re: How can this be? Change your passes...
 

It really hurts to read this large amount of misinformation :s

hashing isnt encryption.

MD5 was considered weak in 1996 already and migration to SHA1 was advised for a decade.

Since at least 2004 there are several confirmed efficient attacks on MD5 and it is considered "broken" nowadays. (See the papers of Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu).

MD5 does NOT generate a 32-Byte sum but a 128-bit sum.

Nobody "de-crypts" passwords unless they are ... "without any clue".

The SQL encrypt() function uses the unix "crypt" system call. Read the corresponding man-page why its a bad idea to use the crypt() system call (Hint: its a salt-based DES implementation as used in traditional unix password encryption). Nevertheless it is not _THAT_ weak that you can "decrypt" it (in a practical timely way by software only) - not even mysql ;)

Oh and the general opinion that "if it has been done by a human - it can be broken by a human" which wakey hinted at - you may want to check out "quantenkryptographie". (none of my translators know the english word for it - but if you are really interested, i will look up some english articles about it - basically it is revolves around heisenbergs unschärfetheorie and its limitations - ofc. you can argue that even "law of nature" is only a temporary scientific viewpoint).

The ability to recover a password may not have to do anything with how a password is stored in the database used for account verification anyway.

Re: How can this be? Change your passes...
 

everybody but Ramihyn should go back to school and read something about cryptography ;)
but i don't really think md5 is THAT weak (for those cryptographers everything which is faster then brute force makes and algorithm weak in their eyes ... but i think we'll have 128 bit quantum computers before a home pc can crack an md5 hash in a reasonable time)

wakey: amazon doesn't send you your current password, they send you an email with a link to a site where you can change your password, there is no way to retrieve your current password

Ramihyn: i think the (naive ?) translation would be quantum cryptography (yields some results at google too, so can't be that far off ;) )

Lockhead: would you have expected anything reasonable from that absoluty non buggy (yay at input validation ...) r10 code where you could even make your ships origin be a fake coord?
that almost like thinking that angie would do any better then our current beloved "kanzler" ;)

edit: @ pateam: i don't really think i have to mention how ridiculous this is ...

Re: How can this be? Change your passes...
 

AFAIK passwords have never been encrypted in PA. What do you think the main method of multi-hunting has been over the rounds?

This is why my password to PA is different to my password to anything I actually care about.

Re: How can this be? Change your passes...
 

...and also why my login name is randomly selected each round.