How does ISPC compare user password?

Discussion in 'Developers' Forum' started by laptop_user, May 10, 2015.

  1. laptop_user

    laptop_user Member

    Hi,

    Everytime I ran part of ISPC code below I always ended up with different hash:

    Code:
    function crypt_password($cleartext_password) {
            $salt="$1$";
            $base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
            for ($n=0;$n<8;$n++) {
                $salt.=$base64_alphabet[mt_rand(0, 63)];
            }
            $salt.="$";
            return crypt($cleartext_password, $salt);
        }
    
    echo crypt_password('123456');
    
    My silly question is how does ISPC compare with fixed password in database during user login if the hash is different?? Thanks in advance.

    UPDATE:

    So ISPC is using salt like this:

    PHP:
                                    $pass '123456';

                                    
    $saved_password stripslashes('$1$9OxdxF8i$fDXnv40cZVF1d3sDkKcAg0');

                                    if(
    substr($saved_password03) == '$1$') {
                                        
    //* The password is crypt-md5 encrypted
                                        
    $salt '$1$'.substr($saved_password38).'$';

                                        if(
    $baru crypt(stripslashes($pass), $salt) != $saved_password) {
                                            
    $user false;
                                            echo 
    "<br><br>wrong pass";
                                        }
                                        else{
                                            echo 
    "<br><br>correct pass";
                                        }
                                      

                                        echo 
    "<br><br>Hash after encrypt: ".crypt(stripslashes($pass));
                                        echo 
    "<br><br>Salt from password in db: ".$salt;
                                        echo 
    "<br><br>After salting: ".crypt(stripslashes($pass), $salt); // for some reason this lead to similar hash as in db.
                                    
    but I still don't understand how randomly unique hash with salt can actually lead to similar hash as in db. Anyway since it's not ISPC problem than consider this problem solved. Thank you.
     
    Last edited: May 10, 2015

Share This Page