Decode password of eMail Accounts

Use this forum if you have problems with a hMailServer script, such as hMailServer WebAdmin or code in an event handler.
Post Reply
DataMaster
Normal user
Normal user
Posts: 36
Joined: 2015-03-16 16:22

Decode password of eMail Accounts

Post by DataMaster » 2015-05-13 13:14

Hello,

I am not a hacker and I am not an evil person.

In the database, we can see the table "hm_accounts".
This table contains a column called "accountpassword". Of course the password is not saved ad plain text.

But I need the password to manipulate eMails (set flags) via IMAP.

Is it possible to decode these passwords?

With the account address and the password, I can connect via IMAP and set Flags of eMails.

User avatar
jimimaseye
Moderator
Moderator
Posts: 9172
Joined: 2011-09-08 17:48

Re: Decode password of eMail Accounts

Post by jimimaseye » 2015-05-13 13:30

Hey, naughty boy. :-)

Have you tried: https://www.base64decode.org/
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

DataMaster
Normal user
Normal user
Posts: 36
Joined: 2015-03-16 16:22

Re: Decode password of eMail Accounts

Post by DataMaster » 2015-05-13 14:15

thank you for your idea,

but this does not help.
None of the charsets (UTF-8, ASCII, ISO-8859-1 etc.) does work. :?

User avatar
mattg
Moderator
Moderator
Posts: 21516
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Decode password of eMail Accounts

Post by mattg » 2015-05-13 15:46

What is your PreferredHashAlgorithm setting in your hmailserver.ini
https://www.hmailserver.com/documentati ... lesettings
3 - SHA256 - Store passwords in SHA256 hashes. This is currently the recommended option which gives the highest level of security.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

DataMaster
Normal user
Normal user
Posts: 36
Joined: 2015-03-16 16:22

Re: Decode password of eMail Accounts

Post by DataMaster » 2015-05-15 12:37

Hello,

thank you for your answer :D

But in my hMailServer.INI, I can't find an entry for "PreferredHashAlgorithm".

I can't see the "Settings"-section in my Ini-File. (I have version 5.6-B2145 installed)
Are only the non-default-values shown in Ini?

And if Sha256 is my Hash-Algorithm, what is the Hash-Value?

User avatar
jimimaseye
Moderator
Moderator
Posts: 9172
Joined: 2011-09-08 17:48

Re: Decode password of eMail Accounts

Post by jimimaseye » 2015-05-15 14:09

You understand correctly. The settings section is not there because you havent added it. It is a special section that needs to be added manually IF YOU ARE CHANGING away from one of the default values it contains. So as it is not there then yes you are with salted SHA256.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

DataMaster
Normal user
Normal user
Posts: 36
Joined: 2015-03-16 16:22

Re: Decode password of eMail Accounts

Post by DataMaster » 2015-05-15 17:40

Ah, good to know :D

How will it help me to get the Passwords from Database in plain text?

User avatar
SorenR
Senior user
Senior user
Posts: 4694
Joined: 2006-08-21 15:38
Location: Denmark

Re: Decode password of eMail Accounts

Post by SorenR » 2015-05-15 23:53

DataMaster wrote:Ah, good to know :D

How will it help me to get the Passwords from Database in plain text?
It won't... You can't...

viewtopic.php?t=18307
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

DataMaster
Normal user
Normal user
Posts: 36
Joined: 2015-03-16 16:22

Re: Decode password of eMail Accounts

Post by DataMaster » 2015-05-17 11:46

Ah, good to know :(

But how is hMailServer using that encoded password?
hMail-Server needs to know the passwords as well.

Sure there is no possibility? :cry:

User avatar
SorenR
Senior user
Senior user
Posts: 4694
Joined: 2006-08-21 15:38
Location: Denmark

Re: Decode password of eMail Accounts

Post by SorenR » 2015-05-17 13:47

DataMaster wrote:Ah, good to know :(

But how is hMailServer using that encoded password?
hMail-Server needs to know the passwords as well.

Sure there is no possibility? :cry:
1: User enter password
2: hMailServer encrypt password
3: compare with database

Of couse there is a way... If you have NSA/Homeland Security class hardware :wink:
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

Re: Decode password of eMail Accounts

Post by tochi » 2015-07-31 23:46

DataMaster wrote:Hello,

I am not a hacker and I am not an evil person.

In the database, we can see the table "hm_accounts".
This table contains a column called "accountpassword". Of course the password is not saved ad plain text.

But I need the password to manipulate eMails (set flags) via IMAP.

Is it possible to decode these passwords?

With the account address and the password, I can connect via IMAP and set Flags of eMails.
Here's a workaround I propose.
1. save the hashed password
2. reset the password
3. do whatever you want to that email using new password
4. restore the hashed password
Of course, between step 2 and step 4, the email can not be accessed using original password. If it's an automated task which lasts only a few seconds, it might not be a issue.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Decode password of eMail Accounts

Post by percepts » 2015-08-02 02:04

You CAN do it but....

First change your hmailserver.ini file to use blowfish encryption

Code: Select all

[Settings]
PreferredHashAlgorithm=1
Then restart hmailserver.

Then manually you have to change every user password so that it gets encrypted in DB using blowfish. Users won't be able to access email until you do this.

Then look in your addons folder where you will find some decryptblowfish.vbs code which you can use to see how to decrypt the password.

Note:

The big stopper to doing this is that if you have many users then you have a lot of accounts to manually change. You could write a script to do it but you can't email the new password to users because they won't have access to it. You have to tell them manually unless you have some other means of telling them.
But then again, if you only have a few users its no big deal.

Blowfish isn't as secure but you need access to run script to decrypt it and if you have access to run scripts on the server then your security is zero anyway.

I have no idea how secure blowfish encryption is if someone gets the DB data from a backup somehow.

gianniskapouekei
Normal user
Normal user
Posts: 64
Joined: 2017-09-29 13:09

Re: Decode password of eMail Accounts

Post by gianniskapouekei » 2017-10-29 22:37

hi..i have a problem because many people lost the password and can't connect from webmail. i install Microsoft SQL Server 2008 Studio Express and conect in the hMailServer.sdf database..who i can find the user codes in decryption and after i run the DecryptBlowfish.vbs to see the user password..thanks very much.

User avatar
jimimaseye
Moderator
Moderator
Posts: 9172
Joined: 2011-09-08 17:48

Re: Decode password of eMail Accounts

Post by jimimaseye » 2017-10-29 23:50

gianniskapouekei wrote:hi..i have a problem because many people lost the password and can't connect from webmail. i install Microsoft SQL Server 2008 Studio Express and conect in the hMailServer.sdf database..who i can find the user codes in decryption and after i run the DecryptBlowfish.vbs to see the user password..thanks very much.
Gianniskapouekei, again.......

START A NEW THREAD!!!!!!!
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Svetoslav92
New user
New user
Posts: 6
Joined: 2018-12-22 14:14

Re: Decode password of eMail Accounts

Post by Svetoslav92 » 2021-01-23 17:55

SorenR wrote:
2015-05-17 13:47
DataMaster wrote:Ah, good to know :(

But how is hMailServer using that encoded password?
hMail-Server needs to know the passwords as well.

Sure there is no possibility? :cry:
1: User enter password
2: hMailServer encrypt password
3: compare with database

Of couse there is a way... If you have NSA/Homeland Security class hardware :wink:
If the password is sha256 salted. How do we know the salt then? Is has to be generated upon installation and stored somewhere?

Post Reply