Jump to content
  • 0

Unecrypted password API call

jd6strings

Asked by jd6strings,

 Share

Question

jd6strings Newbie

jd6strings

Posted
Posted

I've written API code to access user login info BUT I'm dire need of using the system hash to decrypt the user password to plaintext.  Is there an API call that can be used to pass in the encrypted client password and our system has and return plaintext?

I'm making my call like this...

$client_login_password = exec("php index.php api/encryption/systemDecrypt.json -u api_user -k XXXXXXXXXXXXXXXXXXXXXXXXX -m GET -p \"value=" . $client_login_password . "\"");

Link to comment
Share on other sites

13 answers to this question

Recommended Posts

  • 0
Tyson Newbie

Tyson

Posted
Posted

Why are you trying to get plain-text user passwords? You are aware of the security implications of this, correct? No one should ever know what someone's password is except for that person.

User login passwords cannot be decrypted because they were never encrypted to begin with. They are hashed, and that hash only works one way, so you will not be able to retrieve the plain-text version of the password from it.

It would be helpful to know what you're trying to accomplish here as there may be a better design you can employ to achieve it.

Link to comment
Share on other sites
  • 0
Paul Community Regular

Paul

Posted
Posted

Could you provide more information about what you're trying to accomplish? We may have some recommendations. Since user passwords are hashed though, using bcrypt HMAC SHA-256 hashes they are not reversible. If they were reversible, it would be considered a security risk. Even MD5 is not reversible, but it's considered weak due to collisions and rainbow tables.

Link to comment
Share on other sites
  • 0
jd6strings Newbie

jd6strings

Posted
  • Author
Posted
Just now, Tyson said:

Why are you trying to get plain-text user passwords? You are aware of the security implications of this, correct? No one should ever know what someone's password is except for that person.

User login passwords cannot be decrypted because they were never encrypted to begin with. They are hashed, and that hash only works one way, so you will not be able to retrieve the plain-text version of the password from it.

It would be helpful to know what you're trying to accomplish here as there may be a better design you can employ to achieve it.

We're trying to migrate to a different system and we were trying to keep user logins the same...

Link to comment
Share on other sites
  • 0
jd6strings Newbie

jd6strings

Posted
  • Author
Posted
On 6/29/2017 at 2:56 PM, Tyson said:

Send everyone an email saying system changes necessitate they reset their password, then provide them a link to reset it.

That's what we're going to do.

Another question...where in the API can I get a list of credits that a client may have on their account?

Link to comment
Share on other sites
  • 0
Michael Apprentice

Michael

Posted
Posted
38 minutes ago, jd6strings said:

That's what we're going to do.

Another question...where in the API can I get a list of credits that a client may have on their account?

I have a question why are you asking a company you are moving from to help you move to your own system?

If I hosted with you, would you help me migrate to GoDaddy or another webhost? Or a ISP would you help me migrate to Verizon or Level3?

Link to comment
Share on other sites
  • 0
jd6strings Newbie

jd6strings

Posted
  • Author
Posted
On 7/3/2017 at 5:45 PM, Tyson said:

Credits aren't stored, they're derived from the transactions that exist on a client's account that have not yet been applied to an invoice. You can fetch them via the API Transactions::getCredits.

THANK YOU!!! 

One last question...

I'm attempting to get the client autodebit settings from the API and I'm using the getSetting($client_id, $key) method.  It seems to be returning all the settings including those that are inherited.  I would expect that it would return the value for autodebit only if I'm passing that in as the $key parameter.  Is this not the case?

Thanks again for the great support!  I love Blesta and I am disappointed that I am forced to migrate away to a less user friendly platform...

Link to comment
Share on other sites
  • 0
jd6strings Newbie

jd6strings

Posted
  • Author
Posted
1 hour ago, jd6strings said:

THANK YOU!!! 

One last question...

I'm attempting to get the client autodebit settings from the API and I'm using the getSetting($client_id, $key) method.  It seems to be returning all the settings including those that are inherited.  I would expect that it would return the value for autodebit only if I'm passing that in as the $key parameter.  Is this not the case?

Thanks again for the great support!  I love Blesta and I am disappointed that I am forced to migrate away to a less user friendly platform...

Disregard!  I figured it out!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to question listing
×
×
  • Create New...