> Any ideas how I might test against the encrypted password > without knowing the salt?
For standard DES crypt the salt is stored in the first two chars of the crypted password. I guess those web tools aren't letting you specify the salt, but you can with PHP's crypt() function. Actually I just looked at the docs for crypt and they're pretty good, see example 1 for how to handle checking for password matches: "You should pass the entire results of crypt() as the salt for comparing a password, to avoid problems when different hashing algorithms are used." if (crypt($user_input, $password) == $password) http://nz2.php.net/crypt > function htpasswd($pass){ > return crypt(trim($pass),base64_encode(CRYPT_STD_DES)); > } Your function is always passing a base 64 encoded constant "1" (the value of CRYPT_STD_DES) as salt, which encodes to "MQ==", hence the "MQ" at the front of your generated password. Right, sleep time for me. Julian. --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
