Decode password of eMail Accounts

[DataMaster]

Hello,

I am not a hacker and I am not an evil person.

In the database, we can see the table "hm_accounts".
This table contains a column called "accountpassword". Of course the password is not saved ad plain text.

But I need the password to manipulate eMails (set flags) via IMAP.

Is it possible to decode these passwords?

With the account address and the password, I can connect via IMAP and set Flags of eMails.

[jimimaseye]

Hey, naughty boy.

Have you tried: https://www.base64decode.org/

[DataMaster]

thank you for your idea,

but this does not help.
None of the charsets (UTF-8, ASCII, ISO-8859-1 etc.) does work.

[mattg]

What is your PreferredHashAlgorithm setting in your hmailserver.ini
https://www.hmailserver.com/documentati ... lesettings

3 - SHA256 - Store passwords in SHA256 hashes. This is currently the recommended option which gives the highest level of security.

[DataMaster]

Hello,

thank you for your answer

But in my hMailServer.INI, I can't find an entry for "PreferredHashAlgorithm".

I can't see the "Settings"-section in my Ini-File. (I have version 5.6-B2145 installed)
Are only the non-default-values shown in Ini?

And if Sha256 is my Hash-Algorithm, what is the Hash-Value?

[jimimaseye]

You understand correctly. The settings section is not there because you havent added it. It is a special section that needs to be added manually IF YOU ARE CHANGING away from one of the default values it contains. So as it is not there then yes you are with salted SHA256.

[DataMaster]

Ah, good to know

How will it help me to get the Passwords from Database in plain text?

[SorenR]

Ah, good to know

How will it help me to get the Passwords from Database in plain text?

It won't... You can't...

viewtopic.php?t=18307

[DataMaster]

Ah, good to know

But how is hMailServer using that encoded password?
hMail-Server needs to know the passwords as well.

Sure there is no possibility?

[SorenR]

Ah, good to know

But how is hMailServer using that encoded password?
hMail-Server needs to know the passwords as well.

Sure there is no possibility?

1: User enter password
2: hMailServer encrypt password
3: compare with database

Of couse there is a way... If you have NSA/Homeland Security class hardware

[tochi]

Hello,

I am not a hacker and I am not an evil person.

In the database, we can see the table "hm_accounts".
This table contains a column called "accountpassword". Of course the password is not saved ad plain text.

But I need the password to manipulate eMails (set flags) via IMAP.

Is it possible to decode these passwords?

With the account address and the password, I can connect via IMAP and set Flags of eMails.

Here's a workaround I propose.
1. save the hashed password
2. reset the password
3. do whatever you want to that email using new password
4. restore the hashed password
Of course, between step 2 and step 4, the email can not be accessed using original password. If it's an automated task which lasts only a few seconds, it might not be a issue.

[percepts]

You CAN do it but....

First change your hmailserver.ini file to use blowfish encryption

Code: Select all

[Settings]
PreferredHashAlgorithm=1

Then restart hmailserver.

Then manually you have to change every user password so that it gets encrypted in DB using blowfish. Users won't be able to access email until you do this.

Then look in your addons folder where you will find some decryptblowfish.vbs code which you can use to see how to decrypt the password.

Note:

The big stopper to doing this is that if you have many users then you have a lot of accounts to manually change. You could write a script to do it but you can't email the new password to users because they won't have access to it. You have to tell them manually unless you have some other means of telling them.
But then again, if you only have a few users its no big deal.

Blowfish isn't as secure but you need access to run script to decrypt it and if you have access to run scripts on the server then your security is zero anyway.

I have no idea how secure blowfish encryption is if someone gets the DB data from a backup somehow.

[gianniskapouekei]

hi..i have a problem because many people lost the password and can't connect from webmail. i install Microsoft SQL Server 2008 Studio Express and conect in the hMailServer.sdf database..who i can find the user codes in decryption and after i run the DecryptBlowfish.vbs to see the user password..thanks very much.

[jimimaseye]

hi..i have a problem because many people lost the password and can't connect from webmail. i install Microsoft SQL Server 2008 Studio Express and conect in the hMailServer.sdf database..who i can find the user codes in decryption and after i run the DecryptBlowfish.vbs to see the user password..thanks very much.

Gianniskapouekei, again.......

START A NEW THREAD!!!!!!!

[Svetoslav92]

Ah, good to know

But how is hMailServer using that encoded password?
hMail-Server needs to know the passwords as well.

Sure there is no possibility?

1: User enter password
2: hMailServer encrypt password
3: compare with database

Of couse there is a way... If you have NSA/Homeland Security class hardware

If the password is sha256 salted. How do we know the salt then? Is has to be generated upon installation and stored somewhere?