Hello David, On Thursday, August 18, 2005 at 11:34:16 PM David wrote:
> So since it uses crypt, which isn't md5, there is no way for me to > convert it to an md5. It uses crypt() with MD5, if available. But that's not the same as "only MD5 hashing the password", correct. An not, you can't "convert" the passwords, as the crypted password is not suitable to figure the plain text password, needed for creating a plain MD5-hash. > I guess the best thing to do then is just to store the pw's as plain > text, then convert them to whatever I need to, to operate with my > other systems? Yes, you'd have to store the plain text password (which vpopmail already does, if './configure'-ed properly) and operate with it, if your other program(s) can't handle standard crypt()-ed passwords. > Or is there a patch to have vpopmail store them as md5's? Not I'm aware of. But honestly: why would you want to give up a good portion of security by reverting from crypt()-MD5 to "pure MD5"? crypt(), using MD5, creates much more secure encrypted passwords, because of the changing SALT, while plain MD5 hashing will create the same hash over and over again, if several people use the same password. This is the reason for SALT-ing in crypt(); different encryption runs on the same password will result in a different encrypted password-string as a different SALT is used every time. So an attacker can *not* guess if two passwords are the same by having a look only at the crypt()-ed version! Tell your vpopmail to store plain text version of passwords additional to crypt()-ed version and make your other program(s) work on that version. If you need a MD5-hashed version it should be rather easy to patch vpopmail to store this additional value in database whenever it changes the password, it's just one additional column to store and vpopmail does not even have to MD5 the string itself, it just has to insert a value 'MD5("passwd")' in SQL-[INSERT|UPDATE] for MySQL storing the MD5 hash of the password. I'll take a look at the source later today or tomorrow, but it shouldn't be much work (except for me, I have to compile and set up a MySQL-driven vpopmail *doh*; so if anyone with vpopmail already fed by MySQL could take a look ...?). -- Best regards Peter Palmreuther In space, lemmings need only open their helmets.