crypt and salt

Anon

I am attempting to create a simple password authentication scheme using crypt(). I assign a salt that is fixed like the number 12 and then encrypt the password snd store it in the db. When I go to authenticate tthe password using the same salt, "12", it will match any word/string I type in. Here is the code for comparing the stored password and the user-entered password:

$salt ="12";
$crp_password = crypt('$password','$salt');
<db connect stuff>
$sql = "SELECT * from tble WHERE user_name = '$user_name'";
$result = mysql_query($sql);
$myrow = mysql_fetch_array($result);
if ($crp_password == $myrow[password]) {
echo "Password verified!";
}else{
echo "Invalid password!";
}

Any ideas?

Thanks

cordex

$crp_password = crypt('$password','$salt');

This is your problematic line.

When this evaluates the string and the salt, the single quote doesn't tell it to parse the variables in the string. It is actually evaluating the string "$password" (not the variable contents) with the salt "$salt", which of course returns the same crypted data ($st6HWsQnQGV.)

To fix this:
$crp_password = crypt($password,$salt);
or
$crp_password = crypt("$password","$salt");

-Ben

Anon

Why don't you use the password as the salt

$crp_password = crypt('$password','$password);

That way nobody will ever know the password accept the person providing $password

This is so simple yet it's overlooked by so many people

Mark
hdwt.com

Anon

Except that the salt is prepended to the encrypted form...

Anon

<?php

$password = "helloworld";

$crypted = crypt($password,$password);
echo $crypted;

Produces he3Sp/phhBIIM

How the hell are you gonna know helloworld was the password ...eh

From the he

Mark

Anon

Produces he3Sp/phhBIIM

How the hell are you gonna know helloworld was the password ...eh <<

echo crypt('helloworld','he');

ALSO produces he3Sp/phhBIIM, as PHP truncates the salt to 2 characters.

It's no great shakes to force-crack it. (Indeed I have a PHP script to do it!)

--Mike

Anon

PHP does allow longer salts.

Hey mike, how long does that script take to brute force, say, the "helloworld" password with the "he" salt?

-Ben

Anon

Ok you could do this to obtain the salt from the password provided

$salt = substr(strrev($password),strlen($password)/2,strlen($password)-1);

This would make it more difficult for someone looking at you crypted password to crack the original password, it's not bullet proof, but it suffices

Mark