[uug] password encryption

[Wade Preston Shearer]

i am currently using ".htpasswd" and ".htaccess" files to secure areas 
of a website. i am aware that this type of authentication sends the 
password plain text and am fine with this. i am not concerned about 
keeping hackers out... just random people. basically, it's good enough.

i have been creating passwords (entering them, adding them to the 
database, encrypting them) via the command line, with...

	htpasswd .htpasswd.filename username

i would like to change the way that i do things a little bit. first, i 
am going to stop using ".htaccess" files. instead, i am going to use 
PHP to send the appropriate headers. i want to use the same database 
information (usernames and passwords).

i wrote the PHP script that initiates the "login" dialogue, but found 
out something...

the passwords stored in the database that are create via the command 
line syntax i listed above, they are encrypted. when you enter them 
manually, they aren't (obviously).

if i registered a new user (username: bob, password: apple), his entry 
in the database is something like...

	bob:T3dh93jO2

when you try and authenticate via a "login" dialogue that .htaccess 
initiated, it understands that the "apple" that you typed in is equal 
to "T3dh93jO2" and lets you in.

when you try and authenticate via a "login" dialogue that PHP 
initiated, it doesn't work... I guess it doesn't understand to decrypt 
it.

my reason for encryption is purely for user privacy (so the admin 
doesn't know passwords, not to protect against sniffers (as stated 
earlier).

so... my questions...

1. what kind of encryption is used when i am using "htpasswd" when 
registering users via the command line?

2. can i encrypt passwords with this same encryption using PHP?

3. can i make PHP read encrypted passwords?

-wade



____________________
BYU Unix Users Group 
http://uug.byu.edu/ 
___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list