How to get user_password decrypted?

[sv2k]

Is there a way to write SQL retrieving user password, so that I can login as the user?

It's inconvenient for admins to deal with encrypted passwords of users.

Thanks in advance.

[mycrmspacegunnar]

Hi,

Erm, do you really expect to get an answer to this questions?

Cheers
Gunnar

[lvangool]

He does, obviously...

No, you cannot retrieve the password. Your best bet is to change it and mail the new password to the user so he or she can reset it.

[chrisky]

Is there a way write SQL retrieving user password, so that I can login as the user?

It's in convenient for admins to deal with encrypted passwords of users.

Thanks in advance.

I can recognize AND appreciate that their can exist, a legitimate 'need' to for the ability to be logged in under the account of another user/individual.

On another topic, the manner in which you posed your question, as well the assumed fact that you have administrative access to a sugarcrm deployment.... well their is absolutely no need whatsoever for you to be able to find out or determine a particular users password.

The fact that you have administrative access to sugar should for the most part, provide you with the ability to do, view, edit, etc. anything related to that particular user; and such is doable WITHOUT knowing the users password.

I can understand why others might be suspect of such a question.
When oneself takes into account the fact that most people use the same password for multiple things/sites, combined with someones desire to know another persons password to something definately result in the intention(s) very likely being nothing other than to use such knowledge (password) for nefarious purposes.

If a sugar administrator absolutely needed the ability to be logged in as another user (and I'd guess that the demand or need for this scenario/possibility not only exists, but is greater than others or myself would assume; while noting that such need is actually a legitament need), I'll mention that Sugar [code] can be modified to allow an administrator to login, followed by the ability to select [desired user] and switch the active user for that session to that of another user. And as obvious, there never will be any legitiate need or purpose for being able to know a users password.

[sv2k]

We've applied our rools on horizontal filterring, so that each user of its role could see only the records that allowed.
We are afraid of the info flowing out.
So, we must be sure the user see his and only his data.
I need to log on as the user and demonstrate this to my chiefs.
It's very inconvenient, that I don't have the ability.

[glucose]

Why not just create a few test users of your own to demonstrate the desired functionality, simple.

Generally administrators are not supposed to know user passwords in a professional IT environment. (see CFR21PART11 - electronic records and signatures).

However if you want to do things the hard way, the sugar user password is encrypted with the php crypt function using the first two characters of the user name as the salt. Now, the type of encryption used by the crypt function depends on the server platform: http://www.php.net/manual/en/function.crypt.php

You can test this with a simple script. Once you have determined the encryption algorithm in use on the system then obtain a brute force cracker for that algorithm (beware of viruses and trojans). Then provide it the hash and salt and let er rip. It will take anywhere from a few seconds to up to a week depending on the password strength. (pick someone you know uses weak passwords and dedicate an idle system to the job).

The simplest solution is simply to create a few test users to demonstrate the desired functionality to your superiors. (I would have done so before even claiming it was possible, just to prove it to myself...)

[Angel]

Is there a way to write SQL retrieving user password, so that I can login as the user?

It's inconvenient for admins to deal with encrypted passwords of users.

Thanks in advance.

You should be aware that Sugar does not actually store the user's password in the database. The encrypted string that you are seeing is an MD5 hash for the password, not an encrypted version of it. I've seen some tech docs floating around on the net where folks have come up with some cumbersome ways of reversing the hash, but in general, you are not supposed to be able to do that.

[Jacob]

In older versions of the system crypt was used to store the passwords. This was quickly changed to MD5 using crypt as a backup for compatibility. In later versions, the crypt column was completely dropped. The Sugar password system is using MD5 one way encoding of a password. When a user types in their password, it is MD5 encoded. If this MD5 encoding matches the password of that user in the database, they are granted access.

We have also invested (in 4.5.0) in a new API for authentication. This new API allows for other systems to be leveraged to authenticate users (LDAP or ActiveDirectory authentication are built in). It supports creation of modules to arbitrarily connect to other outside systems and authenticate using their APIs.

Many MD5s that are really simple and do not use special characters or capitalization have been cataloged. A password of sufficient complexity or length should prevent reverse engineering the values in the database. Future versions of Sugar should allow for configurable password criteria.

Jacob