Monty Pyth wrote:
I have inherited a website to work on that users authenticate to
using a login and password from a login page. The server is FreeBSD
6.2 running APACHE/PHP/MYSQL. There is a MYSQL table that maintains
all of the users. The table has a users name and password. The
password is hashed and some examples are:


Can anyone tell me what file I would look at to see what hash
algorithm is being used to store the passwords in the table? Any help
would be great.

If this is using Apache basic auth (mod_authn_dbd) then the passwords
will be stored using the old-style DES password hash.  If the passwords
are managed from PHP, then it is anyone's guess as to how they are

The samples do provided look like old-style DES password hashes, but it's
not possible to be certain that's what they are just by looking at them.
See crypt(3) for the OS interface for generating password hashes.  There
is an equivalent PHP function:

or you can play with perl to learn how it works:

% perl -le 'print crypt("password", "aa");' aajfMKNH1hTm2

The 2nd argument is the salt, a randomly generated value used to ensure
that the same password encrypts to different hashes if used in different

It's the same basic API that is used in the system password file,
but nowadays the salt is 6 characters rather than two, and there is
a choice of hashing function -- this uses MD5:

  % perl -le 'print crypt("password", q{$1$aaaaaa$});'



PS. 42jhVP6kxUBX6 is a Googlewhack, or it was until I sent this message.
However one way of quickly decoding a password has is just to Google
for the crypt text -- no guarantees but surprisingly often you'll find
the answer for the old style DES hashes...

Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP:     Ramsgate
                                                 Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to