Username/password retrival

The passwords are double hashed, so its more or less impossible to figure out what they are.

Using something like phpMyAdmin, you can change the passwords, have a look at Podz’s tutorial:

https://www.tamba2.org.uk/wordpress/phpmyadmin/

Use this to decode the harsh.

https://gdataonline.com/seekhash.php

Thanks for that link! I woke up this morning and could not log in to one of my sites and the password retrieval system, though seemingly working, did not.

I got the initial e-mail with the link to reset the password, clicked on it and got “Your new password is in the mail.” but it never came and the password in the database was unchanged. In the meantime I, as admin, got an e-mail stating “Password Lost and Changed for user: ” but with no username.

I could not decipher the hash for the password from the link above, so I used the hash from another database and it worked fine.

Don’t know how it got trashed initially, but that was my workaround. Has anyone had the retrieval system work for them?

Use this to decode the harsh.

https://gdataonline.com/seekhash.php

That script isn’t gonna work.

MD5 is one way, https://www.faqs.org/rfcs/rfc1321 , so the ONLY way to reverse a MD5 hash is to hard crack it by guessing, i.e. hashing a random or guessed string and then comparing the result.

This is basically what this script appears to be doing. They think that by having a large database of strings and their MD5 hashes that they can match them up.

However, do you really think that site can have every single word in the world, let along every single sentence, string, password, etc.?

As I said, it’s not gonna work for ‘ya.

I just ran the hash of every user on one of the WP sites I manage and every one came back with the right password.

Then you need to start telling users to choose better passwords. md5 breaking sites like the one listed above have been around for years, and as long as md5 is the accepted hash we need to keep our passwords secure. (We should no matter what really)

Granted users typically choose words they can remember easily, but the question I asked which I think is more relevant to the issue in this thread, “Has anyone had the retrieval system work for them?”

Exactly.

Info:
GData was started by Gravix as just a project to kill time. It started off as a collection of hashes from 2 dictionaries: TheArgon (albeit cropped) and GDict (Gravix’s personal dictionary). The hashes were set up in patterns to allow for faster access time (literally over 60000 times faster than a normal hash database). It later grew and includes CrackLib and all languages from swedish to japanese. When it was originally posted, the database contained a whopping 5.65 million unique entries weighing in at just over 200 mb. The unexpected popularity of the project led its founder to create a website dedicated to it: GDataOnline.com.

The site is basically a collection of common passwords and such.

So yes, if your password sucks and it happens to have it on file, it’ll work. But if it is working, then you need to stop making your passwords so easy.

“Has anyone had the retrieval system work for them?”

Yes, I just created a new user to test this, and I got a new password just fine and logged back in.

You can use WP-Medic‘s authorization forcing to get into wp-admin, and reset your password there under the users tab. Check the top of header.php in wp-medic for a variable to fill with an authorization code, then load yoursite.com/wp-medic/?forceauth=<variable>.

Glad it worked for you, oriecat. Adding a new user works here, too. I am just trying to experience a successful password retrieval – doesn’t seem to0 intuitive due to a link to login before the password is actually activated from the first email and then ultimately fails for me anyway.

1. I click “lost your password?”, enter the user’s name and email address and hit “Retrieve Password”

2. I get a screen that says “The e-mail was sent successfully to guest’s e-mail address. Click here to login!”

3. The email arrives with a link to click (making the link in #2 moot)

4. I click the link in the email and get a popup screen that says, “Your new password is in the mail. Click here to login!”

5. I click the link from #4 and wait for the second email that never comes. Additionally, an email arrives at my admin account that says, “Password Lost and Changed for user: ” with no user name.

Is your experience different?

That’s definitely odd. When I got the Admin email, it did show the username that was reset. I wonder if you have a corrupt file or something?

Not as odd as it may appear. This particular blog is not 1.5.2 yet and so may be an “old” bug.

In any event the link accompanying “The email has been sent” should probably be removed to reduce confusion.

Yeah, I agree with that. It just opens the login page, but you really need to use the link in the email, so then you just have an unnecessary tab or window open. It’s redundant.