crypt() question

Stinger51

Here's what the on-line manual has to say about it :

$password = crypt('mypassword'); // let the salt be automatically generated

/ You should pass the entire results of crypt() as the salt for comparing a
password, to avoid problems when different hashing algorithms are used. (As
it says above, standard DES-based password hashing uses a 2-character salt,
but MD5-based hashing uses 12.) /

if (crypt($user_input, $password) == $password) {
echo "Password verified!";
}

I took the encrypted password that was returned. I then plugged it into the function call as shown and ran it again. But surprise. No match. Why? Because the function encrypted the password again! Stupid, I know.

Now since there is no "decrypt" function, how are you supposed to be able to bang the encrypted password against the user input and check for a match? One-way encryption functions ain't much use, if you ask me. It's sort of like "write-only" memory. :rolleyes:

The process should be more like :

encrypt the user's password
store it somewhere (DB table, whatever)
take user input and retrieve password from table
de-encrypt password and compare with user input for match

bpat1434

Well, if you're storing the encrypted password, why not just modify the procedure to work?

If de-encryption is not possible, encrypt the user input (i.e. come up with your own SALT to use for the passwords) and then compare the two encrypted strings.

That's what I do with md5(). Here's my simple check:

<?php

if($password == md5($userpass))
{
    // Logged In
}
else
{
    // Failure
}

?>

Hope that helps.

~Brett

bpat1434

Here's a PHP.Net User Note for you:

To authenticate against a stored crypt in MySQL, simply use:

SELECT ................
AND Password=ENCRYPT('".$_POST['password']."',Password)

AFTER you crypt() your plain-text password, with 2 RANDOM characters, the RESULTING scrambled output with have the 2 randomly-selected characters as its first 2 characters.

Later, to check a password presented by the user, you use the first 2 characters of the SCRAMBLED password as the salt.

If that's true, you can do this then:

<?php

$salt = substr($password, 0, 2);

if(crypt($user_input, $salt) == $password)
{
    // Logged In
}
else
{
    // Failure
}

?>

~Brett

Stinger51

You've explained that much better than the on-line manual does. I'll try doing the "salt" stuff and see if that fixes things. But it still looks like "FM" to me. :queasy:

Anyway, as I was thinking thru this "issue" I think I finally discovered what crypt() is trying to do. I discovered this by reading thru (like a good little boy) the various users' notes that were contributed to the web page on that topic. And one of them mentioned a non-existent decrypt_md5() function.

Then it finally hit me what one-way encryption was all about. You take the user's input for a password from the Sys Admin Panel (or whatever you call your panel) when you sign them up. And then you hash it thru crypt() or md5(). You store that result in your favorite DB table. And then nobody knows what the hell it means.

Then, when User X logs into your killer app, your take his or her password entry, hash it again (but only with md5(), as crypt() will give you a different return value every time) and you then compare those two password variables. If you have a match, voilà! If not, give them 2 or 3 attempts -- before you lock them out of your killer app with your favorite PHP script. :xbones:

Now, why in the f--k couldn't the geeks who wrote the PHP manual just say that to begin with? Which is also why you never, Never, NEVER let a geek write the manual.

bpat1434

Isn't that what I said?

I agree with you, the manual is tough at times. But you have to remember, the manual explains functionality, not applicability. It is the coder/programmer that comes up with the final use and application. So what you use crypt for may not be what I use crypt for; however, we both use it to encrypt data.

And as far as I know, every user log-in system exactly as you explained it. That is how the crypt() or md5() functions apply to the situation. It is assumed (although we all know what happens when you assume) that by using the function, you are applying it and know why you're applying it. Just to say "I'm encoding a password" is not a why. It is a means, but to what end? How will one check the validity of a password once submitted? Encrypt the user supplied password and check against the database!!

The main reason I don't use crypt() is simply because it's hard to "decrypt" or check against. md5 is a safe bet since it requires little know-how to function. It is safe (for the most part) unless you want to use base64_encode.

Anyway, glad to hear you figured it out. One thing to keep in mind is to think about the flow of how your script will work. "If I encode a string, how will I get it decoded? Can I decode it? If not, can I check it against anything? If so, how do I check it? Can I encode using the same algorithm?" Asking those types of questions to yourself first will find you answers, and will make you a better programmer.

~Brett