Thread

We are moving away from EE to an internal system built specifically for our industry.  Part of that move is importing member data and login credentials.  I need to decrypt their passwords as our system requires them unencrypted upon an import such as this.  Is there a way to decrypt all passwords before I do the import?

Scratch that.  I figured it out.

Hi Don,

Well, I’m certainly glad you figured it out, but not so much to hear that you are moving away from ExpressionEngine.

But, as a firm believer in the best tool for the job, if EE is no longer that tool - that’s OK.

If you need anything else along the way, please let me know.

Cheers,

This project is moving away from EE, but I’m most certainly not!  It’s still head and shoulders above anything else out there.

Hi Don,

I am trying to do something similar. How did you manage to decrypt the passwords?

Kind regards,

Koen

Hey Koen,

Can you tell me a bit about what you are trying to do? I might be able to help with a better option than decrypting.

Cheers,

Hi Shane,

Some of my users received a generic password for their account. I would like to make this password expirable and would like to encourage the users to change thier password by redirecting them to the change password page and display a notification. In order to do so I would like to verify the password of the logged in member to see if he or she is still using the default and generic password.

Koen

Hi StudioKong,

Sounds interesting.

As far as I know, there is no way to decrypt the passwords from the DB. I do not think this is going to work.

I wish I had a better solution for you. I don’t believe that Don was able to decrypt the password, I am guessing he found a way around it.

Cheers,

Hi Shane,

I noticed a key and salt in the exp_members table so I hoped it was feasable. I guess a custom add-on will be needed to add the functionality I need. I found a workaround using some js and a custom plugin, but I would prefer a proper solution. Or I might need to have a look at Securit-ee http://devot-ee.com/add-ons/securitee although it seems a bit like overkill for my scenario.

Koen

Yep, Shane’s right. In fact, it’s a security measure that you can’t reverse-engineer the passwords. The way you’ll need to check to see if someone is using the generic password is by catching their submission on the way in and comparing it to the generic password. If that rings true, have your system do whatever it needs to do when someone’s using the generic password. Otherwise, let them through.

That’s just an overview, of course. Were you able to find a solution?

Hi Kevin,

What you describe is exactly what I am doing at the moment but I initially thought there might be a better solution available. Thanks both for sharing your thoughts. I’m all set now!

Cheers,

Koen

Great! Glad to hear you’re all set, Koen. Have a good one!