CRYPT Password method

Discussion in 'Developers' Forum' started by japanfred, Dec 21, 2010.

  1. japanfred

    japanfred New Member

    Hi guys,

    Just been having a peek through the code, very interesting, and fairly easy to follow!

    However, i have a question regarding the method by which passwords are stored...

    If I use the same password, I can have a different 'password' that gets stored in the database, for example...

    A Password of 'test' could return...

    $1$bflUYjUl$FvwQ0tC/Yy2L5VgxEaQRN0#
    $1$KkNETqz5$tBZVjL3cN7F9YM/NZjqUM/
    And some others.

    Now obviously this isn't a problem as it works a treat, and i wouldn't dream of criticising the work on this software. But how does this work? When a user logs on to the email, does it keep trying different possibilities until it's matched? I'm clearly not understanding the method!

    I'm more just curious as to why this approach was chosen (for my own learning), and what it's actually called...

    Cheers,
    D
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The crypt method to store password hashes is the default for all Linux systems, so what you see here is not a special method introduced by ispconfig.

    The crypt password encoding uses a salt, thats a random string which is hashed together with the password to avaoid dictionary attackes on the passwords.

    If you have a string like this, then the bold bold part is the salt and the part in italic letters is the resulting hash string:

    $1$bflUYjUl$FvwQ0tC/Yy2L5VgxEaQRN0#

    If you want to test a given passowrd against this hashs, you just use the same salt, combine it with the password and run the crypt function over it. If it results in the same hash, then the password is correct.
     
  3. japanfred

    japanfred New Member

    Fantastic, Thanks Till.

    I was just curious as to how it works, makes perfect sense now.
     
  4. jasiustasiu

    jasiustasiu New Member

    OK, I have a password "test" as well. For example I got encrypted password: $1$hJDISLLa$q3mR1HF7w8Rj3GNfZH3zB1

    so hJDISLLa is my salt.
    When I run Java implementation of crypt method (JCrypt) I get hJTXpPTfFkjZ. as a password. http://www.functions-online.com/crypt.html returns same value. I tried with salt $1$hJDISLLa$ too but it still differs from q3mR1HF7w8Rj3GNfZH3zB1. What am I doing wrong?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The salt is "$1$hJDISLLa" not "$1$hJDISLLa$".
     

Share This Page