Re: [PHP-DB] password encryption
Han, You can try installing mcrypt, it gives you encryption/decryption capabilities in PHP. It's fairly easy to install in you're running a Windows system; I think you have to recompile php if your on a Linux system, and I have never been able to successfully do that. You might look into it though, I don't quite understand why it can't be included with the default PHP installation, or be made easier to install. http://us2.php.net/mcrypt -JD Han wrote: Hello, I'm having a real problem and wondering if anyone can help. I need to set up htaccess ans htpasswd files to authenticate users on my system. I need to do it with PHP, but can't find a way of encrypting the password so it works. I've used an online encrypter for testing the system, and I've got the .htaccess and .htpasswd files correct, but I need to programmatically encrypt the password in my script then write it to the 2 files. Han. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] password encryption
Thanks to evryone for their help. Haven't done it yet as I'm working on someone else's server and they won't do certain things. I've got all the info I was lacking now, so I'm sure I can work something out. Han. - Original Message - From: php_user [EMAIL PROTECTED] To: Han [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, November 19, 2004 12:21 PM Subject: Re: [PHP-DB] password encryption Han, You can try installing mcrypt, it gives you encryption/decryption capabilities in PHP. It's fairly easy to install in you're running a Windows system; I think you have to recompile php if your on a Linux system, and I have never been able to successfully do that. You might look into it though, I don't quite understand why it can't be included with the default PHP installation, or be made easier to install. http://us2.php.net/mcrypt -JD Han wrote: Hello, I'm having a real problem and wondering if anyone can help. I need to set up htaccess ans htpasswd files to authenticate users on my system. I need to do it with PHP, but can't find a way of encrypting the password so it works. I've used an online encrypter for testing the system, and I've got the .htaccess and .htpasswd files correct, but I need to programmatically encrypt the password in my script then write it to the 2 files. Han. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] password encryption
You need to understand how the htaccess file and its passwords are created. using mcrypt will likely lead to problems. htaccess passwords are encrypted with DES algorithm [quote http://www.edevcafe.com/viewdoc.php?eid=97] If you wanted to write a CGI script to help you add/delete users from the .htpasswd file, then you need to know something about the format of this file. Each line of the .htpasswd file contains one username/password combination that looks something like this: Username:w8G2g305KxNd2 Note that the first 2 characters of the encrypted password represent the SALT used by the 2-char DES encryption algorithm that produced the encrypted string you see above. The command crypt(password, w8) in PHP4 will produce w8G2g305KxNd2. Since DES encryption is a one-way encryption algorithm, this provides us with a way to encrypt the suspect password so it can be compared to the known password. [/quote] There is no need to use decrypt since that is not how the htaccess authorization works (unless you write a custom page to check the values (and since you can encrypt before checking) decrypt is not used) hth bastien From: php_user [EMAIL PROTECTED] To: Han [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [PHP-DB] password encryption Date: Fri, 19 Nov 2004 07:21:53 -0500 Han, You can try installing mcrypt, it gives you encryption/decryption capabilities in PHP. It's fairly easy to install in you're running a Windows system; I think you have to recompile php if your on a Linux system, and I have never been able to successfully do that. You might look into it though, I don't quite understand why it can't be included with the default PHP installation, or be made easier to install. http://us2.php.net/mcrypt -JD Han wrote: Hello, I'm having a real problem and wondering if anyone can help. I need to set up htaccess ans htpasswd files to authenticate users on my system. I need to do it with PHP, but can't find a way of encrypting the password so it works. I've used an online encrypter for testing the system, and I've got the .htaccess and .htpasswd files correct, but I need to programmatically encrypt the password in my script then write it to the 2 files. Han. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] password encryption
Hello, I'm having a real problem and wondering if anyone can help. I need to set up htaccess ans htpasswd files to authenticate users on my system. I need to do it with PHP, but can't find a way of encrypting the password so it works. I've used an online encrypter for testing the system, and I've got the .htaccess and .htpasswd files correct, but I need to programmatically encrypt the password in my script then write it to the 2 files. Han. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] password encryption
You can use PHP to handle the auth headers and all: http://www.php.net/manual/en/features.http-auth.php That might give you more flexibility than trying to dynamically set it on the .htpassword and such. There are a couple of ways to encrypt something. You can do it in a way that can be decrypted and checked against what the user entered. Or you can do a one-way encryption that uses the same method every time, so someone enteres dog and it encrypts into sdlkfj.. If you do a one-way encryption, there's no feasible way to turn sdlkfj back into dog but if the user enters dog again, and you encrypt it the same way, it'll always come out as sdlkfj which will match the one-way encrypted string that you stored. If you want to be cheesy, you can also use something like an MD5 has on dog and get whatever it gets Then every time someone enters dog it always ends up with the same MD5 hash. The chance of two different strings having the same MD5 hash is very very unlikely. Anyway, some stuff to think about. Good luck! -TG -Original Message- From: Han [mailto:[EMAIL PROTECTED] Sent: Thursday, November 18, 2004 11:29 AM To: Bastien Koert; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [PHP-DB] password encryption Hello, I'm having a real problem and wondering if anyone can help. I need to set up htaccess ans htpasswd files to authenticate users on my system. I need to do it with PHP, but can't find a way of encrypting the password so it works. I've used an online encrypter for testing the system, and I've got the .htaccess and .htpasswd files correct, but I need to programmatically encrypt the password in my script then write it to the 2 files. Han. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] password encryption
Quoting Gryffyn, Trevor [EMAIL PROTECTED]: If you want to be cheesy, you can also use something like an MD5 has on dog and get whatever it gets Then every time someone enters dog it always ends up with the same MD5 hash. How is using MD5 cheesy? I've implemented exactly that solution a number of times. Admittedly, only for a very small site, mainly as the 'site content update' password. -P ps. and on another note, why am I in the list of direct addressees here? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] password encryption
Hah.. Because I figured it wouldn't be an accepted solution by real security people. :) I've used it too. Also used the md5_file() function to create a duplicate file scanner for my home PC. The only problem with using MD5 or another one-way solution on a general site that doesn't require super-security is that when people forget their password, you have to do a Click this to reset your password, have it reset to something random, then have them change it when they log in. There's no Send me my password ability, which I find kind of useful on general sites that make you log in (free registration and such). As for why you're in the direct mail.. I don't know. I just did Reply all to the original question and you must have been in it. :) Just enjoy the love and stop complaining. Hah. -TG -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, November 18, 2004 12:15 PM To: [EMAIL PROTECTED] Subject: RE: [PHP-DB] password encryption Quoting Gryffyn, Trevor [EMAIL PROTECTED]: If you want to be cheesy, you can also use something like an MD5 has on dog and get whatever it gets Then every time someone enters dog it always ends up with the same MD5 hash. How is using MD5 cheesy? I've implemented exactly that solution a number of times. Admittedly, only for a very small site, mainly as the 'site content update' password. -P ps. and on another note, why am I in the list of direct addressees here? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Password encryption
Can anyone recommend, or does anyone have handy, a script that will encrypt passwords AND then also be able to retrieve the encrypted password. Checking out the docs and some books has confused me mostly. Thx -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] password encryption
Can anyone recommend, or does anyone have handy, a script that will = encrypt passwords AND then also be able to retrieve the encrypted = password. I am not able to use mcrypt. Checking out the docs and archives and some books has confused me mostly. Thx -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Password encryption
On Thu, 04 Mar 2004 12:46:51 -0600, Mignon Hunter wrote: Can anyone recommend, or does anyone have handy, a script that will encrypt passwords AND then also be able to retrieve the encrypted password. Checking out the docs and some books has confused me mostly. Thx Yes and no. $pw = md5(password); works well. However, you cannot decrypt. You store $pw (above) in the database and when a user wants to log in, you encrypt their entry and compare it to the value -- also encrypted -- stored in the db. If there is a match, they get in; but you have no knowledge of their password(s). Neither does anyone else who hacks in. hth, Doug -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Password encryption
It is a string function that returns a 32-character md5 hash of password. MD5 is the name for a current RSA Message Digest Algorithm encryption method. A search in the manual for md5 gets you to the little bit of information in the manual plus a link to RFC 1321 which likely provides more information than you want. Doug On Thu, 4 Mar 2004 15:35:52 -0500, Kevin wrote: Hi Doug and All, I am real new to PHP and wanted to know if you can explain the [md5(password);] code? Is this a set function? Thanks, Kevin - Original Message - On Thu, 04 Mar 2004 12:46:51 -0600, Mignon Hunter wrote: Can anyone recommend, or does anyone have handy, a script that will encrypt passwords AND then also be able to retrieve the encrypted password. Checking out the docs and some books has confused me mostly. Thx Yes and no. $pw = md5(password); works well. However, you cannot decrypt. You store $pw (above) in the database and when a user wants to log in, you encrypt their entry and compare it to the value -- also encrypted -- stored in the db. If there is a match, they get in; but you have no knowledge of their password(s). Neither does anyone else who hacks in. hth, Doug -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
