#1  
Old 21st December 2010, 13:42
japanfred japanfred is offline
Junior Member
 
Join Date: Dec 2010
Posts: 4
Thanks: 1
Thanked 0 Times in 0 Posts
Default CRYPT Password method

Hi guys,

Just been having a peek through the code, very interesting, and fairly easy to follow!

However, i have a question regarding the method by which passwords are stored...

If I use the same password, I can have a different 'password' that gets stored in the database, for example...

A Password of 'test' could return...

$1$bflUYjUl$FvwQ0tC/Yy2L5VgxEaQRN0#
$1$KkNETqz5$tBZVjL3cN7F9YM/NZjqUM/
And some others.

Now obviously this isn't a problem as it works a treat, and i wouldn't dream of criticising the work on this software. But how does this work? When a user logs on to the email, does it keep trying different possibilities until it's matched? I'm clearly not understanding the method!

I'm more just curious as to why this approach was chosen (for my own learning), and what it's actually called...

Cheers,
D
Reply With Quote
Sponsored Links
  #2  
Old 21st December 2010, 14:54
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,704
Thanks: 819
Thanked 5,321 Times in 4,174 Posts
Default

The crypt method to store password hashes is the default for all Linux systems, so what you see here is not a special method introduced by ispconfig.

The crypt password encoding uses a salt, thats a random string which is hashed together with the password to avaoid dictionary attackes on the passwords.

If you have a string like this, then the bold bold part is the salt and the part in italic letters is the resulting hash string:

$1$bflUYjUl$FvwQ0tC/Yy2L5VgxEaQRN0#

If you want to test a given passowrd against this hashs, you just use the same salt, combine it with the password and run the crypt function over it. If it results in the same hash, then the password is correct.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
japanfred (21st December 2010)
  #3  
Old 21st December 2010, 15:13
japanfred japanfred is offline
Junior Member
 
Join Date: Dec 2010
Posts: 4
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Fantastic, Thanks Till.

I was just curious as to how it works, makes perfect sense now.
Reply With Quote
  #4  
Old 22nd December 2011, 13:42
jasiustasiu jasiustasiu is offline
Junior Member
 
Join Date: Dec 2011
Posts: 4
Thanks: 1
Thanked 0 Times in 0 Posts
Default

OK, I have a password "test" as well. For example I got encrypted password: $1$hJDISLLa$q3mR1HF7w8Rj3GNfZH3zB1

so hJDISLLa is my salt.
When I run Java implementation of crypt method (JCrypt) I get hJTXpPTfFkjZ. as a password. http://www.functions-online.com/crypt.html returns same value. I tried with salt $1$hJDISLLa$ too but it still differs from q3mR1HF7w8Rj3GNfZH3zB1. What am I doing wrong?
Reply With Quote
  #5  
Old 22nd December 2011, 14:18
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,704
Thanks: 819
Thanked 5,321 Times in 4,174 Posts
 
Default

The salt is "$1$hJDISLLa" not "$1$hJDISLLa$".
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following 2 Users Say Thank You to till For This Useful Post:
aldo (26th December 2011), jasiustasiu (22nd December 2011)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
change password problem from ISPConfig 3 acumen Installation/Configuration 16 1st October 2010 09:06
How can I change the encryption password method of ISPConfig? voltron81 Installation/Configuration 5 4th November 2009 15:53
Samba LDAP, Webmin User password mperreault Server Operation 0 26th August 2008 14:34
using MD5 password encryption instead of Crypt radim_h Tips/Tricks/Mods 2 7th May 2008 18:15
How to install BFD (Brute Force Detection) domino Tips/Tricks/Mods 9 31st March 2006 22:40


All times are GMT +2. The time now is 02:06.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.