.htpasswd (encrypted passwords?)

[Estella]

Hi

If I lock a directory using the lock directory function on my web host a .htpasswd file is created. This is good. The password in the .htpasswd file is stored in an encrypted format.

I would like to be able to automatically add users and passwords to this file when users of my site register. The problem is that: Using the automatic function of my web host to lock the directory turns the password 'test'

into 'vhlNxdW73MO9U'

Using php crypt turns it into:

'$1$EqTMQ8yb$ByeyycScxrohEC8xSPApg0'

and using php md5 turns it into:

'098f6bcd4621d373cade4e832627b4f6'

So I'm not sure how to encrypt a password using my own script before I write it to the .htpasswd file???

I do hope the above makes some sense coz I've had a few beers.

[mrobinson]

Hi Estella,

Your question intrigued me a little so I decided to look into it.

First when you encrypt the password you need to use Standard DES-based encryption with a two character salt.

PHP Code:

 $salt = 'MR'; /* This ideally would be randomly generated */
 $password = 'thePassword';
 $hash = crypt($password, $salt);
 echo $hash; 


In the example above I set the salt to MR.
This produces the $hash = MRxMiKl2Nkovw


Now if you need to compare a password to the hashed version you need to use the same salt value (which is the first two characters of the hash result). This is what Apache does (I believe).

PHP Code:

 $oldHash = 'MRxMiKl2Nkovw';
 $salt = substr($oldHash, 0, 2); /* i.e. MR */
 $password = 'thePassword';
 $hash = crypt($password, $salt);
 echo $hash; 


This will produce the same hashed value (hence the password matches).

I'm still getting my head around this so I'm not sure if I've explained it clearly, but the code may help?

Regards,
Mark

[mrobinson]

Now that I've read my own post, try this...

PHP Code:

 $salt = 'vh';
 $password = 'test';
 $hash = crypt($password, $salt);
 echo $hash; 


This should give vhlNxdW73MO9U

[Estella]

Hi mrobinson

Thanks for the input

I'm not sure I fully understand the below:

$salt = substr($oldHash, 0, 2); /* i.e. MR */

I assume the above is working out what the original $salt was which was used in the first place? Yeah? What does substr() do? And what does the 0, 2 do?

Sorry if I'm being stupid. You help is really appreciated.

Thanks

Estella

[Estella]

Hey thanks I get it now

I have go t process figured out and it makes sense

I understand that the 'substr($oldhash, 0, 2);' is retrieving the original $salt. I suppose the substr is an e ncryption related command. However, I just need to understand what the 0, 2 bit means? Are there other numbers you can use here for diffent reasons?

Thanks

Estella

[mrobinson]

Hi Estella,

Sorry - I made an assumption.
substr is used to retrieve part of a string.
I was using substr in my example to get the first two characters.

PHP Code:

 substr($oldhash, 0, 2); 


$oldhash is the source string.
0 is the start point (0 = the very start)
2 is how many characters to get

Check out substr in the manual for more info.

[Estella]

Got ya :-)

All makes sense now :-)

Thanks very much!!