PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

PHP Object Remoting in Flex
How To Document Your PHP Classes
PHP Iterator
Pagination of Results on a Web Page
Regular Expressions

[Fwd: Re: [phplib] Passwords: Clear & MD5] From: Michael Anthon (michael <email protected>)
Date: 01/15/01

Previous message: fabrizio.ermini <email protected>: "Re: [phplib] phplib and extra db access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I always forget to address these to the list instead of the sender 8^)

Cheers

-------- Original Message --------
Subject: Re: [phplib] Passwords: Clear & MD5
Date: Sun, 14 Jan 2001 10:26:43 +1000
From: Michael Anthon <michael <email protected>>
To: "D. Wade" <baylee10 <email protected>>
References: <OFD3E2A029.696994F3-ONC12569CF.005CD10A <email protected>>
<3A603903.8B917F7B <email protected>>

This is a relatively simple one to explain. The apache mod_auth module
encrypts the password using the crypt function (man crypt). This is the
same function normally used to encrpyt passwords on Unix type systems.

The crypt function takes 2 parameters, the text to be encrypted and the
salt, which has some effect on the encryption so that using a different
salt results in a different encrypted string.

Try this bit of code

        <?
        $passwd = "test";
        $salt = "AB";
        $crypt1 = crypt($passwd, "AB");
        $crypt2 = crypt($passwd, $crypt1);
        print "$passwd\n$crypt1\n$crypt2\n";
        ?>

The result should be
        test
        ABwOg1D2JDxIQ
        ABwOg1D2JDxIQ

You can see that the first 2 letters of the encrypted password are
actually the salt string. This is why you can use the encrypted
password as the salt. So... what you do is store the encrypted password
hash supplied to you in the database, when the user attempts to log in,
you take the password they supplied and crypt it using the stored
password hash as the salt. If what you get is the same as the stored
hash, then the password was correct.

In your example, calling the function crypt("test","DHVx8VCTYetpI") will
return the string "DHVx8VCTYetpI".

Cheers
Michael Anthon

>
> I'm a relative newbie. I had a site running where I received
> login and text password from a third party. They are going
> out of business. I can only find third party's that send
> login and encrypted passwords suitable for appending to Apache's
> .htpasswd file.
>
> The Apache htpasswd function creates a 13 character file,
> like kris & test encrypted are kris:DHVx8VCTYetpI
> In the stuff/create_database.mysql, 'test' is encrypted
> into 32 characters? Ia there more than one MD5?
>
> Can I un-encrypt the ".htpasswd" passwords to clear text?
> I've read doc/README.md5_passwords. I'm bothered by the
> 13 versus 32 length encryptions.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>

Previous message: fabrizio.ermini <email protected>: "Re: [phplib] phplib and extra db access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]