Date: Fri, 30 Oct 2009 09:08:42 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Monty Pyth <freebsdnewb@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: APACHE/PHP/MYSQL Password Hash Message-ID: <4AEAAD1A.30409@infracaninophile.co.uk> In-Reply-To: <281911.17527.qm@web110016.mail.gq1.yahoo.com> References: <281911.17527.qm@web110016.mail.gq1.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigDAA21056B94A29DC6FD6C5B0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Monty Pyth wrote: > I have inherited a website to work on that users authenticate to > using a login and password from a login page. The server is FreeBSD > 6.2 running APACHE/PHP/MYSQL. There is a MYSQL table that maintains > all of the users. The table has a users name and password. The > password is hashed and some examples are: >=20 > 02SvtVJnRLzuQ > 42jhVP6kxUBX6 >=20 > Can anyone tell me what file I would look at to see what hash > algorithm is being used to store the passwords in the table? Any help > would be great. If this is using Apache basic auth (mod_authn_dbd) then the passwords will be stored using the old-style DES password hash. If the passwords are managed from PHP, then it is anyone's guess as to how they are stored. The samples do provided look like old-style DES password hashes, but it's= not possible to be certain that's what they are just by looking at them. See crypt(3) for the OS interface for generating password hashes. There is an equivalent PHP function: http://uk.php.net/manual/en/function.crypt.php or you can play with perl to learn how it works: % perl -le 'print crypt("password", "aa");'=20 aajfMKNH1hTm2 The 2nd argument is the salt, a randomly generated value used to ensure that the same password encrypts to different hashes if used in different accounts. It's the same basic API that is used in the system password file, but nowadays the salt is 6 characters rather than two, and there is a choice of hashing function -- this uses MD5: % perl -le 'print crypt("password", q{$1$aaaaaa$});' $1$aaaaaa$FuYJ957Lgsw.eVsENqOok1 Cheers, Matthew PS. 42jhVP6kxUBX6 is a Googlewhack, or it was until I sent this message. However one way of quickly decoding a password has is just to Google for the crypt text -- no guarantees but surprisingly often you'll find the answer for the old style DES hashes... --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigDAA21056B94A29DC6FD6C5B0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkrqrSAACgkQ8Mjk52CukIwi7ACfW8AWqayfM73Z9qWDg6p4fkrG zocAn1/c+wPw3VFYrBOFqe5tR1YXa+oq =R5Sm -----END PGP SIGNATURE----- --------------enigDAA21056B94A29DC6FD6C5B0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AEAAD1A.30409>