WordPress.org

Forums

Username/password retrival (18 posts)

  1. kristen252
    Member
    Posted 9 years ago #

    I installed WordPress on my website and posted twice, but now that I want to post again I can't find or remember what username/password combination I used. Is there any way of finding this out? I tried the lost password option, but because I don't know what email address or login I used, it's not helping.

    If someone could help me out with this, it would be appreciated. Thank you.

  2. kristen252
    Member
    Posted 9 years ago #


  3. jalenack
    Member
    Posted 9 years ago #

    The passwords are double hashed, so its more or less impossible to figure out what they are.

    Using something like phpMyAdmin, you can change the passwords, have a look at Podz's tutorial:

    http://www.tamba2.org.uk/wordpress/phpmyadmin/

  4. John
    Member
    Posted 9 years ago #

    Use this to decode the harsh.

    http://gdataonline.com/seekhash.php

  5. Beel
    Member
    Posted 9 years ago #

    Thanks for that link! I woke up this morning and could not log in to one of my sites and the password retrieval system, though seemingly working, did not.

    I got the initial e-mail with the link to reset the password, clicked on it and got "Your new password is in the mail." but it never came and the password in the database was unchanged. In the meantime I, as admin, got an e-mail stating "Password Lost and Changed for user: " but with no username.

    I could not decipher the hash for the password from the link above, so I used the hash from another database and it worked fine.

    Don't know how it got trashed initially, but that was my workaround. Has anyone had the retrieval system work for them?

  6. Use this to decode the harsh.

    http://gdataonline.com/seekhash.php

    That script isn't gonna work.

    MD5 is one way, http://www.faqs.org/rfcs/rfc1321 , so the ONLY way to reverse a MD5 hash is to hard crack it by guessing, i.e. hashing a random or guessed string and then comparing the result.

    This is basically what this script appears to be doing. They think that by having a large database of strings and their MD5 hashes that they can match them up.

    However, do you really think that site can have every single word in the world, let along every single sentence, string, password, etc.?

    As I said, it's not gonna work for 'ya.

  7. Beel
    Member
    Posted 9 years ago #

    I just ran the hash of every user on one of the WP sites I manage and every one came back with the right password.

  8. masquerade
    Member
    Posted 9 years ago #

    Then you need to start telling users to choose better passwords. md5 breaking sites like the one listed above have been around for years, and as long as md5 is the accepted hash we need to keep our passwords secure. (We should no matter what really)

  9. Beel
    Member
    Posted 9 years ago #

    Granted users typically choose words they can remember easily, but the question I asked which I think is more relevant to the issue in this thread, "Has anyone had the retrieval system work for them?"

  10. Exactly.

    Info:
    GData was started by Gravix as just a project to kill time. It started off as a collection of hashes from 2 dictionaries: TheArgon (albeit cropped) and GDict (Gravix's personal dictionary). The hashes were set up in patterns to allow for faster access time (literally over 60000 times faster than a normal hash database). It later grew and includes CrackLib and all languages from swedish to japanese. When it was originally posted, the database contained a whopping 5.65 million unique entries weighing in at just over 200 mb. The unexpected popularity of the project led its founder to create a website dedicated to it: GDataOnline.com.

    The site is basically a collection of common passwords and such.

    So yes, if your password sucks and it happens to have it on file, it'll work. But if it is working, then you need to stop making your passwords so easy.

  11. oriecat
    Member
    Posted 9 years ago #

    "Has anyone had the retrieval system work for them?"

    Yes, I just created a new user to test this, and I got a new password just fine and logged back in.

  12. Firas
    Member
    Posted 9 years ago #

    You can use WP-Medic's authorization forcing to get into wp-admin, and reset your password there under the users tab. Check the top of header.php in wp-medic for a variable to fill with an authorization code, then load yoursite.com/wp-medic/?forceauth=<variable>.

  13. Beel
    Member
    Posted 9 years ago #

    Glad it worked for you, oriecat. Adding a new user works here, too. I am just trying to experience a successful password retrieval - doesn't seem to0 intuitive due to a link to login before the password is actually activated from the first email and then ultimately fails for me anyway.

    1. I click "lost your password?", enter the user's name and email address and hit "Retrieve Password"

    2. I get a screen that says "The e-mail was sent successfully to guest's e-mail address. Click here to login!"

    3. The email arrives with a link to click (making the link in #2 moot)

    4. I click the link in the email and get a popup screen that says, "Your new password is in the mail. Click here to login!"

    5. I click the link from #4 and wait for the second email that never comes. Additionally, an email arrives at my admin account that says, "Password Lost and Changed for user: " with no user name.

    Is your experience different?

  14. oriecat
    Member
    Posted 9 years ago #

    That's definitely odd. When I got the Admin email, it did show the username that was reset. I wonder if you have a corrupt file or something?

  15. Beel
    Member
    Posted 9 years ago #

    Not as odd as it may appear. This particular blog is not 1.5.2 yet and so may be an "old" bug.

    In any event the link accompanying "The email has been sent" should probably be removed to reduce confusion.

  16. oriecat
    Member
    Posted 9 years ago #

    Yeah, I agree with that. It just opens the login page, but you really need to use the link in the email, so then you just have an unnecessary tab or window open. It's redundant.

  17. skeltoac
    Member
    Posted 9 years ago #

    It failed to crack my passwords. What kind of passwords are you guys using? "pencil"?

  18. ekbuckley
    Member
    Posted 9 years ago #

    I'm researching a similar problem. I received this email through the wordpress -forgot your password- link:

    Mime-Version: 1.0
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: BASE64

    TG9naW46IGNoYXJjbzINClBhc3N3b3JkOiAwMGM3N2INCmh0dHA6Ly9jaGFyY29sbC5jb20vYmxv
    Zy93cC1sb2dpbi5waHA=

    .

    Is this a useful password somehow, and I'm misreading it? Can I login with it, or go through the database with Podz' above posted link?
    Thanks
    ekb

Topic Closed

This topic has been closed to new replies.

About this Topic