APACHE/PHP/MYSQL Password Hash

Matthew Seaman m.seaman at infracaninophile.co.uk
Fri Oct 30 09:08:55 UTC 2009 

Monty Pyth wrote:
> I have inherited a website to work on that users authenticate to
> using a login and password from a login page. The server is FreeBSD
> 6.2 running APACHE/PHP/MYSQL. There is a MYSQL table that maintains
> all of the users. The table has a users name and password. The
> password is hashed and some examples are:
> 
> 02SvtVJnRLzuQ
> 42jhVP6kxUBX6
> 
> Can anyone tell me what file I would look at to see what hash
> algorithm is being used to store the passwords in the table? Any help
> would be great.

If this is using Apache basic auth (mod_authn_dbd) then the passwords
will be stored using the old-style DES password hash.  If the passwords
are managed from PHP, then it is anyone's guess as to how they are
stored.

The samples do provided look like old-style DES password hashes, but it's
not possible to be certain that's what they are just by looking at them.
See crypt(3) for the OS interface for generating password hashes.  There
is an equivalent PHP function:

   http://uk.php.net/manual/en/function.crypt.php

or you can play with perl to learn how it works:

   %  perl -le 'print crypt("password", "aa");' 
   aajfMKNH1hTm2

The 2nd argument is the salt, a randomly generated value used to ensure
that the same password encrypts to different hashes if used in different
accounts.

It's the same basic API that is used in the system password file,
but nowadays the salt is 6 characters rather than two, and there is
a choice of hashing function -- this uses MD5:

   % perl -le 'print crypt("password", q{$1$aaaaaa$});'
   $1$aaaaaa$FuYJ957Lgsw.eVsENqOok1

	Cheers,

	Matthew

PS. 42jhVP6kxUBX6 is a Googlewhack, or it was until I sent this message.
However one way of quickly decoding a password has is just to Google
for the crypt text -- no guarantees but surprisingly often you'll find
the answer for the old style DES hashes...

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20091030/bb47eacd/signature.pgp

More information about the freebsd-questions mailing list