Monty Pyth wrote:
I have inherited a website to work on that users authenticate to using a login and password from a login page. The server is FreeBSD 6.2 running APACHE/PHP/MYSQL. There is a MYSQL table that maintains all of the users. The table has a users name and password. The password is hashed and some examples are:02SvtVJnRLzuQ 42jhVP6kxUBX6 Can anyone tell me what file I would look at to see what hash algorithm is being used to store the passwords in the table? Any help would be great.
If this is using Apache basic auth (mod_authn_dbd) then the passwords will be stored using the old-style DES password hash. If the passwords are managed from PHP, then it is anyone's guess as to how they are stored. The samples do provided look like old-style DES password hashes, but it's not possible to be certain that's what they are just by looking at them. See crypt(3) for the OS interface for generating password hashes. There is an equivalent PHP function: http://uk.php.net/manual/en/function.crypt.php or you can play with perl to learn how it works:% perl -le 'print crypt("password", "aa");' aajfMKNH1hTm2
The 2nd argument is the salt, a randomly generated value used to ensure
that the same password encrypts to different hashes if used in different
accounts.
It's the same basic API that is used in the system password file,
but nowadays the salt is 6 characters rather than two, and there is
a choice of hashing function -- this uses MD5:
% perl -le 'print crypt("password", q{$1$aaaaaa$});'
$1$aaaaaa$FuYJ957Lgsw.eVsENqOok1
Cheers,
Matthew
PS. 42jhVP6kxUBX6 is a Googlewhack, or it was until I sent this message.
However one way of quickly decoding a password has is just to Google
for the crypt text -- no guarantees but surprisingly often you'll find
the answer for the old style DES hashes...
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
