Results 1 to 2 of 2
  1. #1
    Join Date
    May 2009

    Post PHP CRYPT_MD5 Authentication

    I am referring to:

    This is kinda confusing and none in the above link did not provided a proper
    solution for verifying FreeBSD MD5 hash stored in a database, instead all examples showed how to crypt.

    Allright, there is no actual decrypt function since itīs a One-way string encryption which is not vulnerable to rainbow or dictionary attack unlike the default md5() function.

    As FreeBSD MD5 documentation says, by recrypting a user supplied password and comparing those hashes without never revealing real password to operating system etc. this authentication process can be achieved. To be sure i wanted to same time share this method and verify by other PHP developers here that am i right?

    This is exactly the same format commonly used in /etc/shadow on all Linux distributions.



    $user_input = "test123";

    $no_md5 = "You need to have CRYPT_MD5 support and compile your PHP with --with-mcrypt";

    if (CRYPT_MD5 != 1 || CRYPT_SALT_LENGTH < 12) { die ("$no_md5"); }

    $encrypted_password = crypt($user_input);
    echo "$encrypted_password \n";

    $stored = '$1$yfV3OHMs$5B0Hsatq/E/V6AQ9omSPR/';
    $salt = substr($stored, 0, CRYPT_SALT_LENGTH);

    $encrypted = crypt($user_input, $salt);

    // echo "$encrypted_password $encrypted";

    if ($encrypted == $stored) {
    echo "Password verified! \n";
    } else {
    echo "Password failed! \n";

    // Verify

    $stored2 = "$encrypted_password";

    $salt2 = substr($stored2, 0, CRYPT_SALT_LENGTH);

    $encrypted2 = crypt($user_input, $salt2);

    if ($encrypted2 == $stored2) {
    echo "Password reverified! \n";
    } else {
    echo "Password refailed! \n";

    In the above example, $stored is the hash in a database. When you run the above code, output should be similar to this:

    php crypt_md5.php

    Password verified!
    Password reverified!

    It took me quite a while figure out that i need to use existing salt for recrypting a user supplied password. This should be right but at the time i did this, i was kinda tired
    NiX API - A powerful Anti-Proxy/Anti-Fraud and IP Reputation Lookup API

  2. #2
    Join Date
    May 2009
    The above example works perfectly. I yesterday implemented that method to my live site. I updated same example yesterday to manual but now itīs gone. Well then that is the case, why bother giving any examples.
    NiX API - A powerful Anti-Proxy/Anti-Fraud and IP Reputation Lookup API

Similar Threads

  1. SSH Key Authentication
    By jmaskell in forum Hosting Security and Technology
    Replies: 3
    Last Post: 01-08-2008, 11:21 PM
  2. NT Authentication and PHP
    By Atomic Haven in forum Programming Discussion
    Replies: 2
    Last Post: 05-04-2005, 10:58 PM
  3. PHP authentication
    By yugo in forum Programming Discussion
    Replies: 15
    Last Post: 02-26-2005, 03:52 PM
  4. PHP HTTP authentication
    By SilverSage in forum Programming Discussion
    Replies: 3
    Last Post: 07-18-2004, 11:53 PM
  5. Authentication - Can I Do This?
    By bmiddleton in forum Programming Discussion
    Replies: 7
    Last Post: 07-23-2003, 11:26 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts