User Auth logins / crypt

[Leozack]

Greetings. I'm using the following code to auth logins. The problem is that I'm checking the passwords against a plain text nameassword file, with no encryption. The code here takes salt from the ENCRYPTED password to use to unencrypt it. Either that is wrong and it should take salt from the unencrypted password, or there is some way to make an encrypted password using salt from how it will end up, which seems impossible.

My problem is that I have no way to encrypt the passwords INTO the password list file that I know of, bar echo'ing the results of crypt(password,saltfromunencryptedpassword) and using this encrypted password using the unencrypted password as it's salt source, to gaina n encrypted password. Am I missing something? The guide I was looking at didn't mention about registering users or hwo to encrypt their passwords =/

Any help?

// iterate through file
foreach ($data as $line)
{
$arr = explode(":", $line);
// if username matches
// test password
if ($arr[0] == $user)
{
// get salt and crypt()
$salt = substr($arr[1], 0, 2);

// if match, user/pass combination is correct
// return 1

if ($arr[1] == crypt($pass, $salt))
{
$result = 1;
break;
}
// otherwise return 0
else
{
$result = 0;
break;
}
}
}

 

[AnakinPt]

well,

the way i use for this, is storing the MD5 of the password in the database. It always has 32 chars.

when checking, i check if the md5 of the inserted pass is the same as the password stored (in md5).

md5 is a one-way function, so you cannot retrieve the plain password from the md5.

Anikin
Hugo Alexandre Dias
Web-Programmer
anikin_jedi@hotmail.com

 

[Leozack]

So md5 aside (I heard it was the easiest to crack) you're saying the storage of the password (not database in my case but plain flie) should just be using a standard crypt (or md5 whatever) of the password which is then checked against the same standard crypt (whatever) of the password input on login? This by-passes salt altogether. Is this the answer? It seems strange that a absic level guide would include the whole salt thing if advanced people don't even use it?

 

[Leozack]

I've tried to figure out my problems, and the following are echo'd to my screen when login attempt is processed:
stored pass =12Bz/9hNlPLZk
input pass =1234
salt =12
crypted pass with salt =12Bz/9hNlPLZk
AS you can see the end result (crypted pass with salt) is the same as the storaged pass. However it still says I've got the wrong password in the code:

// iterate through file
foreach ($data as $line)
{
$arr = explode(":", $line);
// if username matches
// test password
if ($arr[0] == $user)
{
// get salt and crypt()
$salt = substr($pass, 0, 2);
// if match, user/pass combination is correct
// return 1
echo "stored pass =";
echo $arr[1];
echo "input pass =";
echo $pass;
echo "salt =";
echo $salt;
echo "crypted pass with salt =";
echo crypt($pass, $salt);
if ($arr[1] == crypt($pass, $salt))
{
$result = 1;
break;
}
// otherwise return 0
else
{
$result = 0;
break;
}
}
}

 

[Leozack]

So do the smart people here agree I should not use salt at all? Or does anyone have a solution to what I'm trying to do, including the way to save the name/password they enter into the flat file (nameassword)?
Thanks

 

[gerrygerry]

Why not just store your password file outside your public directory? Then you dont have to worry about crypt at all! -gerrygerry
Go To

http://quickfreewebsite.com!

 

[ladams9999]

I ran into the same problem until I trim()med both sides of the comparison:

trim($arr[1]) == trim(crypt($pass, $salt))

 

[Leozack]

Your'e right, it's the trim() that makes it work. I just wrote a little script (2 tiny files) that let you enter text and it will then encrypt it using salt. You then save the output as their stored password and the login script successfully can match it up with the encrypted version that you try to log in with.
But there's a problem! It seems it's impossible to write a "return"/"new line" to a file! Dno't tell me \n or \r though, my mate tried it (I ahvn't yet) and the file opens fine with lines in rich text apps like word pad but in notepad you see it's all infact one line with the block character seperating them where it should be a new line! How do I get round this?
Please help =)