GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   htpasswd / encryption question (https://gfy.com/showthread.php?t=65171)

Jinn 06-21-2002 11:08 AM
htpasswd / encryption question
 
Hello everyone:

I am sure there are a lot of programmers, unix gurus here, so I hope someone can help me.

I am wondering how the passwords are encrypted in the htpasswd file. I want to use PHP to do the authentication job by reading in the htpasswd file and comparing the input password with the one in the file. But I don't know how to generate the encrypted password with php.

I was trying to use the first 2 characters of the password as salt, then do crypt() in php. But it doesn't work in most cases. I am using Globill and ccBill and both write to the same htpasswd file. I noticed that (at least for ccBill) different encrypted passwords in htpasswd file can be generated from the same original password at different time. Is this normal? How Apache get to know the method they were encrypted? Can PHP do the same job? I am very new to this topic. So please, please help me. Thank you very much!

Any information would be very appreciated!

Jinn

Phil21 06-21-2002 11:32 AM
Uses standard crypt() functions.. heh.

try using the encrpyted password (okay, first two characters) as the salt for when you're encrypting the plaintext for comparison.

-Phil

dodo 06-21-2002 11:49 AM
use md5 to encrypt the password and store it in the file. if the file gets hacked it would be useless since they would see 32bits of bullsh*t

NitroPhil 06-21-2002 12:39 PM
If you're looking to verify a password against an encrypted password, this is the best way I've found to do it...

Use the crypt() function to encrypt the password submitted by the user with the already encrypted password as the salt. If the result is equal to the encrypted password, the password is correct. If it isn't, it's wrong.

Let me know if you need more info. Hope this helps.

buran 06-21-2002 01:51 PM
The previous posters are correct, crypt() is a one way encryption, you must take the plain text entered by the user and the first two characters of the encrypted password. If $PHP_AUTH_PW is the password entered by the user, and $password is what you've found in the .htpasswd file (or mysql), this could should work:

$compare = crypt($PHP_AUTH_PW, substr($password, 0, 2);
if($compare == $password) {
echo "Logged in";
} else {
echo "Password not valid";
exit;
}

Jinn 06-21-2002 03:41 PM
Thank you for all your help. It finally works!

Just one thing still not very clear to me (I am a bit slow): NitroPhil mentioned that I can use the encrypted password as the salt. On php manual, it's said this can avoid problems when different algorithms are used. All the encrypted passwords in my htpasswd file are 13 characters long. How can crypt() distinguish if the password is "DES-based password hashing" or "MD5-based"? Doesn't it just check both and see whichever gives the right password?

buran 06-24-2002 06:19 AM
DES (crypt) is 13 characters, md5 is 256. All your programs need to use the same cypher in order to work. The first two characters of a DES string are the salt value used to calculate it.

hope that clears it up.

Cogitator 06-24-2002 07:54 AM
MD5 is a one way hashing algorithm and is impossible to break or decode. If anyone ever hacks into a site to steal passwords, they are useless if they are MD5 encrypted.


All times are GMT -7. The time now is 04:54 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123