htpasswd / encryption question - GoFuckYourself.com

Jinn · 06-21-2002, 11:08 AM

Hello everyone:

I am sure there are a lot of programmers, unix gurus here, so I hope someone can help me.

I am wondering how the passwords are encrypted in the htpasswd file. I want to use PHP to do the authentication job by reading in the htpasswd file and comparing the input password with the one in the file. But I don't know how to generate the encrypted password with php.

I was trying to use the first 2 characters of the password as salt, then do crypt() in php. But it doesn't work in most cases. I am using Globill and ccBill and both write to the same htpasswd file. I noticed that (at least for ccBill) different encrypted passwords in htpasswd file can be generated from the same original password at different time. Is this normal? How Apache get to know the method they were encrypted? Can PHP do the same job? I am very new to this topic. So please, please help me. Thank you very much!

Any information would be very appreciated!

Jinn

Phil21 · 06-21-2002, 11:32 AM

Uses standard crypt() functions.. heh.

try using the encrpyted password (okay, first two characters) as the salt for when you're encrypting the plaintext for comparison.

-Phil

dodo · 06-21-2002, 11:49 AM

use md5 to encrypt the password and store it in the file. if the file gets hacked it would be useless since they would see 32bits of bullsh*t

NitroPhil · 06-21-2002, 12:39 PM

If you're looking to verify a password against an encrypted password, this is the best way I've found to do it...

Use the crypt() function to encrypt the password submitted by the user with the already encrypted password as the salt. If the result is equal to the encrypted password, the password is correct. If it isn't, it's wrong.

Let me know if you need more info. Hope this helps.

buran · 06-21-2002, 01:51 PM

The previous posters are correct, crypt() is a one way encryption, you must take the plain text entered by the user and the first two characters of the encrypted password. If $PHP_AUTH_PW is the password entered by the user, and $password is what you've found in the .htpasswd file (or mysql), this could should work:

$compare = crypt($PHP_AUTH_PW, substr($password, 0, 2);
if($compare == $password) {
echo "Logged in";
} else {
echo "Password not valid";
exit;
}

Jinn · 06-21-2002, 03:41 PM

Thank you for all your help. It finally works!

Just one thing still not very clear to me (I am a bit slow): NitroPhil mentioned that I can use the encrypted password as the salt. On php manual, it's said this can avoid problems when different algorithms are used. All the encrypted passwords in my htpasswd file are 13 characters long. How can crypt() distinguish if the password is "DES-based password hashing" or "MD5-based"? Doesn't it just check both and see whichever gives the right password?

buran · 06-24-2002, 06:19 AM

DES (crypt) is 13 characters, md5 is 256. All your programs need to use the same cypher in order to work. The first two characters of a DES string are the salt value used to calculate it.

hope that clears it up.

Cogitator · 06-24-2002, 07:54 AM

MD5 is a one way hashing algorithm and is impossible to break or decode. If anyone ever hacks into a site to steal passwords, they are useless if they are MD5 encrypted.

06-21-2002, 11:08 AM	#1
Jinn Confirmed User Join Date: Nov 2001 Posts: 72	htpasswd / encryption question Hello everyone: I am sure there are a lot of programmers, unix gurus here, so I hope someone can help me. I am wondering how the passwords are encrypted in the htpasswd file. I want to use PHP to do the authentication job by reading in the htpasswd file and comparing the input password with the one in the file. But I don't know how to generate the encrypted password with php. I was trying to use the first 2 characters of the password as salt, then do crypt() in php. But it doesn't work in most cases. I am using Globill and ccBill and both write to the same htpasswd file. I noticed that (at least for ccBill) different encrypted passwords in htpasswd file can be generated from the same original password at different time. Is this normal? How Apache get to know the method they were encrypted? Can PHP do the same job? I am very new to this topic. So please, please help me. Thank you very much! Any information would be very appreciated! Jinn

06-21-2002, 11:49 AM	#3
dodo Confirmed User Join Date: Jan 2002 Posts: 162	use md5 to encrypt the password and store it in the file. if the file gets hacked it would be useless since they would see 32bits of bullsht __________________ FREE* TRAFFIC TRADING on any host. Also try our 200% traffic back program.Click here We host the scripts for you so you trade on our bandwidth.

06-21-2002, 12:39 PM	#4
NitroPhil Confirmed User Join Date: Jun 2002 Location: Lightspeed Sorority Posts: 103	If you're looking to verify a password against an encrypted password, this is the best way I've found to do it... Use the crypt() function to encrypt the password submitted by the user with the already encrypted password as the salt. If the result is equal to the encrypted password, the password is correct. If it isn't, it's wrong. Let me know if you need more info. Hope this helps. __________________ <a href="http://www.lightspeedcash.com"> Make money at the speed of light!</a><br> - Wouldn't it be cool to own a retarded monkey?

06-21-2002, 01:51 PM	#5
buran Confirmed User Join Date: Mar 2002 Location: how'd I get here? Posts: 264	The previous posters are correct, crypt() is a one way encryption, you must take the plain text entered by the user and the first two characters of the encrypted password. If $PHP_AUTH_PW is the password entered by the user, and $password is what you've found in the .htpasswd file (or mysql), this could should work: $compare = crypt($PHP_AUTH_PW, substr($password, 0, 2); if($compare == $password) { echo "Logged in"; } else { echo "Password not valid"; exit; } __________________ [this signature intentionally left blank]

06-24-2002, 06:19 AM	#7
buran Confirmed User Join Date: Mar 2002 Location: how'd I get here? Posts: 264	DES (crypt) is 13 characters, md5 is 256. All your programs need to use the same cypher in order to work. The first two characters of a DES string are the salt value used to calculate it. hope that clears it up. __________________ [this signature intentionally left blank]

06-21-2002, 11:32 AM	#2
Phil21 Confirmed User Join Date: May 2001 Location: ICQ: 25285313 Posts: 993	Uses standard crypt() functions.. heh. try using the encrpyted password (okay, first two characters) as the salt for when you're encrypting the plaintext for comparison. -Phil

06-21-2002, 03:41 PM	#6
Jinn Confirmed User Join Date: Nov 2001 Posts: 72	Thank you for all your help. It finally works! Just one thing still not very clear to me (I am a bit slow): NitroPhil mentioned that I can use the encrypted password as the salt. On php manual, it's said this can avoid problems when different algorithms are used. All the encrypted passwords in my htpasswd file are 13 characters long. How can crypt() distinguish if the password is "DES-based password hashing" or "MD5-based"? Doesn't it just check both and see whichever gives the right password?

06-24-2002, 07:54 AM	#8
Cogitator Confirmed User Join Date: Feb 2002 Location: Florida Posts: 672	MD5 is a one way hashing algorithm and is impossible to break or decode. If anyone ever hacks into a site to steal passwords, they are useless if they are MD5 encrypted. __________________ - this space intentionally left blank -