Important: Possible to Decrypt WP-Passwords?


#1

Hello,

I gave someone my wp database containing all wp users.
Is there any possibility for him to decrypt the passwords of the users?

I tried it with a MD5 decrypter and it didn’t work: http://md5decrypter.co.uk/
But can you say for sure that there is no decrypter that can do that?

Thank you.


#2

Hey,

As far as I know (Maybe I’m wrong) WordPress does not use MD5 for password hashing and they are using Portable PHP password hashing framework.

Since this is a hashing system not a encryption algorithm, you should not be able to use a reversal algorithm to decrypt it.

So if your passwords are not easy passwords that can be found on any password dictionary, you won’t need to worry about this.

By the way, I’m not 100% sure…

Cheers,

Iman


#3

ok thanks.
waiting for another answer to be sure.


#4

Iman is correct, you are safe, WordPress used to use only md5 but that’s now not the case.

Even if they used md5 only, it’s hard to crack it, unless your password is some generic one or can be find in dictionaries.


#5

Thanks a lot. :slight_smile:


#6
imangm said

As far as I know (Maybe I’m wrong) WordPress does not use MD5 for password hashing and they are using Portable PHP password hashing framework.

The core still needs a cryptography algorithm, by default it is MD5 and can be changed to Blowfish or DES. but good part is that new system is using 8 time MD5 over one password with a random additional input data called “salt” so it is hard but still possible, just matter of time and money if the other side really want it there are some premium services which can do it with an acceptable success range.

OriginalEXE said

Even if they used md5 only, it’s hard to crack it, unless your password is some generic one or can be find in dictionaries.

I disagree, with today GPU processing power, pure MD5 is almost nothing and also there are pre-made rainbow tables up to 12 character combination of all possible characters so no no md5.


#7

Hi LovelessDesign,

You should definitely treat your passwords as compromised, and change them all.

It might take an attacker with that file some time to figure out the passwords from it, but it is definitely possible, even with fairly strong passwords.

In other words: don’t panic, but change your passwords. It’s much better to play it safe than take the risk.