compare encrypted password

Schlum

Hi Evrybody,

I would like to compare 2 encrypted password, via the htpasswd.exe of apache.
Because of the salt, the password I generate dinamically and the one previously saved into my .htpasswd file are not the same. I mean at least not the same string, they must contain the same information.
Does anybody know how I can manage that problem ?

For information, I am building a script that allow users to change their htaccess password dynamically, but I do need to check their password first. To encrypt the pass they give via a form, I use the exec() fonction of php to call htpasswd.exe

Thx

Schlum

diego25

I think you use the encrypted password as the salt.

Diego

Schlum

md5("clear_pass","encrypted_pass") ?

this one doesn't work because of the encrypted pass lenght

The fact is I don't have the real password in clear, i just have its encryption, but I have the pass the user try to autenficate with and I can encrypt it.

Other thing, I am using windobe for the moment and the md5 fonction in php is not the same at all than the apache htpasswd ...

I keep searching for an answer on the web

Thx for the answer

Schlum

I meant th crypt fonction, the md5 fonction takes only one argument.
But the result is still not what I need

By the way my entries look like this :

user1:$apr1$zW4.....$XYpXlENtsz8iIFuJzp8dK1

How can I find the salt in this string ?

Thanks in advance

Schlum

diego25

Like I said, use the encrypted password as the salt. Run this example and it'll show you what I mean:

<?
$pass = "hello";

$cpass = crypt($pass);  // crypt it once
print $cpass . "\n";
print crypt($pass) . "\n";  // crypt same password without a salt - notice it's different
print crypt($pass, $cpass) . "\n";  // crypt same password, with encrypted password as salt - notice is the same
?>

Diego

Schlum

First, thank U to have spend some time to answer me 🙂

As i previously said, the encryption algo of the crypt fonction is not the same of the apache one.
For instance, if I try to crypt the password "user1" I have the following results :

htpasswd.exe : $apr1$yf5.....$rywPB6K.qNXuoBYHOTDP./
crypt() : t.ztYC5AS4ZLM

As you see, it is not the same, and if I try to use the second in a apache Basic auth, ... it doesn't work.

So I think no function of php can do the job, because the md5() function is also not the same (apache designed its own modified-md5 algo) and the crypt() fonction will change with the OS (I think the crypt() function of php is just a call to the crypt() fonction of the OS ).
Sooo maybe a third party utility that i could call from php (as I already do to encrypt the password with a call to htpasswd.exe).
Otherwise I always can stock the password in clear in the .htpasswd but ..... I am not keen on this solution.

Any idea ?

thanks

Schlum

diego25

Yeah, I know, but if I remember correctly, for the httpasswd, you also pass the encrypted password as the salt.

Diego

Schlum

well, the help from htpasswd.exe is :

Usage:
htpasswd [-cmdps] passwordfile username
htpasswd -b[cmdps] passwordfile username password

    htpasswd -n[mdps] username
    htpasswd -nb[mdps] username password

-c Create a new file.
-n Don't update file; display results on stdout.
-m Force MD5 encryption of the password (default).
-d Force CRYPT encryption of the password.
-p Do not encrypt the password (plaintext).
-s Force SHA encryption of the password.
-b Use the password from the command line rather than prompting for it.
On Windows, TPF and NetWare systems the '-m' flag is used by default.
On all other systems, the '-p' flag will probably not work.

I don't think it is possible de specify the salt for the encryption.

This thing start sligthly to get on my nerve. Furthermore, I didn't find any information on the apache website .... They could at least tell how apache can manage to recognise the password you enter in clear in the authentification box from the encrypted version saved in the .htpasswd
Well well some use to say it is the interesting part in programing process 😉

Keep looking for an answer

+
Schlum

Bye the way, thks again for all the answers you took the time to writte.

diego25

If you see the help outputted by your htpasswd.exe, you'll see that it uses md5 by default. So can you encrypt "password" enforcing the CRYPT function and post the result here?

Diego

Schlum

well I did this one :

D:\Websites\partner_area\pub>htpasswd -dnb user1 user1
Automatically using MD5 format on Windows.
user1:$apr1$Y12.....$GXLZoaAMjPmnJqa0ia4IZ/

n an b argument for a output on stdout and use the pass of the command line

d to force the CRYPT encryption

I don't undestand why it doesn't give me the same kind of result the crypt() fonction of php ... Damn' it !!

diego25

Hmm...the "....." inside the password look weird....

I tried this in PHP

<?
print crypt('user1', '$1$'.md5('user1'));
?>

so that the crypt function would use MD5, but the result wasn't anything like yours...

Sorry, I don't think I can help you anymore 🙁

Diego

Schlum

Thank you very much for the help !

I continue to look for an answer and will post if I found any.

Schlum

By the way I just realised that I forgot to mention I am working for the moment with EasyPhp (last version, 1.6 I think), which mean I am under apache 1.3

britzman

Hi Schlum,

I don't know if you found a solution to your encrytpted password comparison problem but as far as I am aware in the htpasswd file the first two characters are used as the salt.

e.g. using htpasswd as follows you get the output below

/apache/bin/htpasswd -nb frank sinatra
frank:mlVo7KaArYZhg

Notice the first two characters of the 'password' are "ml".

In the following PHP code:

$x = crypt( "sinatra", "ml" );

$x is set to mlVo7KaArYZhg, the same value created by htpasswd.

Q.E.D. (when you know how 🆒 )

Hope this helps.

Regards
Nick

gman-03

So if you use htpasswd without the -c, it uses the first two characters of the encrypted password for the salt of the crypt function, but what does it use for the salt if you do use the -c option?

britzman

Not sure. I assume it randomly generates the salt, which will then be written to the password file. It can then be used from the file for future password comparisons.