From owner-freebsd-questions@FreeBSD.ORG Fri Oct 30 09:08:54 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F2E2A1065679 for ; Fri, 30 Oct 2009 09:08:54 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 8AEA18FC08 for ; Fri, 30 Oct 2009 09:08:54 +0000 (UTC) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id n9U98n97009305; Fri, 30 Oct 2009 09:08:49 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk n9U98n97009305 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1256893730; bh=5MT8Oe5LzHwz4BVFCdmCAh+jvroTxwUBeiVf+RXNJLI=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4AEAAD1A.30409@infracaninophile.co.uk>|Date:=20Fri ,=2030=20Oct=202009=2009:08:42=20+0000|From:=20Matthew=20Seaman=20 |Organization:=20Infracaninophile |User-Agent:=20Thunderbird=202.0.0.23=20(X11/20090823)|MIME-Versio n:=201.0|To:=20Monty=20Pyth=20|CC:=20freebs d-questions@freebsd.org|Subject:=20Re:=20APACHE/PHP/MYSQL=20Passwo rd=20Hash|References:=20<281911.17527.qm@web110016.mail.gq1.yahoo. com>|In-Reply-To:=20<281911.17527.qm@web110016.mail.gq1.yahoo.com> |X-Enigmail-Version:=200.95.6|Content-Type:=20multipart/signed=3B= 20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"application/pgp-signa ture"=3B=0D=0A=20boundary=3D"------------enigDAA21056B94A29DC6FD6C 5B0"; b=2todWjAhkFg8gJ5arh/DPGlZyhhL1BtGI3PzMbmIJI0SSz9D8nHMTJiNhbUvHR1pK UFEY6QQhqcwqeBacf3gcI+F/5aTuEFd9XN6v5La4KeTnBj9AeU76zzFy4IiN9c2jVa AgbM2GOnH0bsi+ZNsOAErTpBtNkFSBzKiXFJH73I= X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host localhost [IPv6:::1] claimed to be happy-idiot-talk.infracaninophile.co.uk Message-ID: <4AEAAD1A.30409@infracaninophile.co.uk> Date: Fri, 30 Oct 2009 09:08:42 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.23 (X11/20090823) MIME-Version: 1.0 To: Monty Pyth References: <281911.17527.qm@web110016.mail.gq1.yahoo.com> In-Reply-To: <281911.17527.qm@web110016.mail.gq1.yahoo.com> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigDAA21056B94A29DC6FD6C5B0" X-Virus-Scanned: clamav-milter 0.95.2 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: APACHE/PHP/MYSQL Password Hash X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2009 09:08:55 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigDAA21056B94A29DC6FD6C5B0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Monty Pyth wrote: > I have inherited a website to work on that users authenticate to > using a login and password from a login page. The server is FreeBSD > 6.2 running APACHE/PHP/MYSQL. There is a MYSQL table that maintains > all of the users. The table has a users name and password. The > password is hashed and some examples are: >=20 > 02SvtVJnRLzuQ > 42jhVP6kxUBX6 >=20 > Can anyone tell me what file I would look at to see what hash > algorithm is being used to store the passwords in the table? Any help > would be great. If this is using Apache basic auth (mod_authn_dbd) then the passwords will be stored using the old-style DES password hash. If the passwords are managed from PHP, then it is anyone's guess as to how they are stored. The samples do provided look like old-style DES password hashes, but it's= not possible to be certain that's what they are just by looking at them. See crypt(3) for the OS interface for generating password hashes. There is an equivalent PHP function: http://uk.php.net/manual/en/function.crypt.php or you can play with perl to learn how it works: % perl -le 'print crypt("password", "aa");'=20 aajfMKNH1hTm2 The 2nd argument is the salt, a randomly generated value used to ensure that the same password encrypts to different hashes if used in different accounts. It's the same basic API that is used in the system password file, but nowadays the salt is 6 characters rather than two, and there is a choice of hashing function -- this uses MD5: % perl -le 'print crypt("password", q{$1$aaaaaa$});' $1$aaaaaa$FuYJ957Lgsw.eVsENqOok1 Cheers, Matthew PS. 42jhVP6kxUBX6 is a Googlewhack, or it was until I sent this message. However one way of quickly decoding a password has is just to Google for the crypt text -- no guarantees but surprisingly often you'll find the answer for the old style DES hashes... --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigDAA21056B94A29DC6FD6C5B0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkrqrSAACgkQ8Mjk52CukIwi7ACfW8AWqayfM73Z9qWDg6p4fkrG zocAn1/c+wPw3VFYrBOFqe5tR1YXa+oq =R5Sm -----END PGP SIGNATURE----- --------------enigDAA21056B94A29DC6FD6C5B0--