Page 2 of 3
Posted: Tue Sep 17, 2002 3:05 pm
by JPlush76
I might give that a try hobber
I tried niel's suggestions but if if I use the same password it gives the same hash value in my database
Code: Select all
<?php
function getMD5Salt()
{
return '$1$' . substr(MD5(microtime() . getmypid()),0,12);
}
$newpass = crypt($_POSTї'f_pass1'],getMD5Salt());
?>
I have 4 test entries with the same password and they all have the same value

Posted: Tue Sep 17, 2002 3:22 pm
by nielsene
What platform are you on?
Posted: Tue Sep 17, 2002 3:24 pm
by JPlush76
I've tested it on my local windows 2000 with personal web server/php4/mysql
and I tested it on my hosts site which is unix/apache/php4/mysql
both with the same exact result for the password "jim"
hashed version says "$1TImo4BQjcDU"
Posted: Tue Sep 17, 2002 3:28 pm
by nielsene
If your newpass doesn't begin with $1$, then the computer you are on has not enabled MD5 salts for crypt which is very bizairre. As only the first two characters are being accepted that indicates that its using 3DES instead of MD5.
Posted: Tue Sep 17, 2002 3:32 pm
by JPlush76
well thats some crazy stuff
is the md5 a separate install that has to be made on the server?
do you have any solutions for bypassing the md5 function?

Posted: Tue Sep 17, 2002 3:33 pm
by nielsene
Try echo'ing out the PHP constant CRYPT_MD5. It should be 1 if its 0 then that's the problem.
Posted: Tue Sep 17, 2002 3:35 pm
by JPlush76
she's a zero alright
any work arounds for it?
Posted: Tue Sep 17, 2002 3:37 pm
by nielsene
You should be able to make your own crypt as follows
Code: Select all
function my_md5crypt($pass,$salt)
{
$salt = substr($salt,0,15);
$cryptedPass = MD5($salt.$pass);
return $salt.$cryptedPass;
}
You can pass in either a regular MD5 salt($1$+a 12 char substr of MD5 output), or a stored salted password as the salt and it should behave properly.
Posted: Tue Sep 17, 2002 3:48 pm
by JPlush76
so how would you code calling that function?
Code: Select all
<?php
my_md5crypt('$1$', $_POSTї'f_pass1'])
?>
Posted: Tue Sep 17, 2002 3:51 pm
by Takuma
Thanks guys!
Posted: Tue Sep 17, 2002 5:11 pm
by JPlush76
I could do an MD5 string, does that matter?
md5($password)
5e027396789a18c37aeda616e3d7991b
Posted: Tue Sep 17, 2002 5:29 pm
by JPlush76
here is what I came up with so far
Code: Select all
<?php
function crypt_it($pwd)
{
$salt = substr($_POSTї'f_email'], 0, 2);
$encrypted_pswd = crypt($pwd, $salt);
return $encrypted_pswd;
}
$newpass = crypt_it($_POSTї'f_pass1']);
?>
I use the first 2 characters of their email address to salt it seems to work jolly
Posted: Tue Sep 17, 2002 9:27 pm
by nielsene
OK, plain crypt is much, much worse that plain MD5. Either use MD5 by istelf, use crypt in MD5 mode if your machine support it, or use the my_md5crypt given above.
To call my_md5crypt as given above:
Code: Select all
$password = $_POSTї"enteredPassword"];
$salt = '$1$' . substr(MD5(microtime() . getmypid()),0,12);
$hashedPassword = my_md5crypt($password,$salt);
// store $hashedPassword in your database
To validate a user password
Code: Select all
$username = $_POSTї"username"];
$password = $POSTї"password"];
$storedPassword = getStoredPasswordForUser($username);
if (my_md5crypt($password,$storedPassword)==$storedPassword)
{//success}
else
{//failure}
A slight correction to my_md5crypt:
Code: Select all
function my_md5crypt($pass,$salt)
{
$salt = substr($salt,3,12); // the '$1$' should not be hashed
$cryptedPass = MD5($salt.$pass);
return '$1$'.$salt.$cryptedPass; // but the '$1$' needs to be passed back
}
Posted: Wed Sep 18, 2002 1:50 am
by Takuma
How can I compare a POSTed password with the one in the db using MD5crypt?
Posted: Wed Sep 18, 2002 8:14 am
by nielsene
Takuma the second code snippet in my post before yours shows how to compare a user entered password with the stored hashed password. Basically the steps are
1) Use the username to look up the stored password
2) Hash the entered password, using the stored password as the salt
3) Compare the resulting hash with the stored password