Hi guys, Just been having a peek through the code, very interesting, and fairly easy to follow! However, i have a question regarding the method by which passwords are stored... If I use the same password, I can have a different 'password' that gets stored in the database, for example... A Password of 'test' could return... $1$bflUYjUl$FvwQ0tC/Yy2L5VgxEaQRN0# $1$KkNETqz5$tBZVjL3cN7F9YM/NZjqUM/ And some others. Now obviously this isn't a problem as it works a treat, and i wouldn't dream of criticising the work on this software. But how does this work? When a user logs on to the email, does it keep trying different possibilities until it's matched? I'm clearly not understanding the method! I'm more just curious as to why this approach was chosen (for my own learning), and what it's actually called... Cheers, D
The crypt method to store password hashes is the default for all Linux systems, so what you see here is not a special method introduced by ispconfig. The crypt password encoding uses a salt, thats a random string which is hashed together with the password to avaoid dictionary attackes on the passwords. If you have a string like this, then the bold bold part is the salt and the part in italic letters is the resulting hash string: $1$bflUYjUl$FvwQ0tC/Yy2L5VgxEaQRN0# If you want to test a given passowrd against this hashs, you just use the same salt, combine it with the password and run the crypt function over it. If it results in the same hash, then the password is correct.
OK, I have a password "test" as well. For example I got encrypted password: $1$hJDISLLa$q3mR1HF7w8Rj3GNfZH3zB1 so hJDISLLa is my salt. When I run Java implementation of crypt method (JCrypt) I get hJTXpPTfFkjZ. as a password. http://www.functions-online.com/crypt.html returns same value. I tried with salt $1$hJDISLLa$ too but it still differs from q3mR1HF7w8Rj3GNfZH3zB1. What am I doing wrong?