httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] htpasswd question
Date Mon, 20 Oct 2003 07:26:40 GMT
>-----Original Message-----
>From: Michael Scott [mailto:mscott@pyewacket.org]
>
>I want to make it possible via a CGI script for users to 
>change their passwords,
>however, I don't want Bill to be able to change Jim's password.
>
>One way would be to require the user enter their current 
>password.  I was
>planning on executing `htpasswd -nb username currentpasswd` 
>and verifying the
>hash against what's in the file.
>
>The problem is, each time I execute the htpasswd command with 
>the same password,
>the hash is different.  How can that be?

Because that's exactly how the password algorithm works. If there was a
one-to-one mapping between the plaintext password and its hash-encrypted
version, password hacking would be trivially easy and people with the
same plaintext password (e.g. "gandalf") would have the same encrypted
password in /etc/passwd.

(N.B. "htpasswd" borrows all its technology from the unix password
scheme - so what goes for unix passwd, goes for htpasswd; even on
windows.)

When you encrypt a new password, the encrypting alogrithm encodes the
password along with a 2-char string called the "salt". The salt is based
on the system time and process id and there are 4096 possible values.
This means that any given password can produce 4096 different encrypted
hashes.

This begs the question, how do you then verify the password later? Well,
the salt is saved - it's the first two characters in the encrypted
version of the password. So later when you type in the password, the
system, instead of making up a random salt, uses the salt from the file.
So now when it runs the encryption algorithm, it should match.

For example:

- User "joey" makes a new password "banana"
- System gets random salt = "xZ".
- Password encryption: xZ + banana ==> "xZyxcvbnm".
- User "fred" also chooses password "banana".
- System gets new salt "Po" ==> "Poqwertzuiop".

So joey and fred have different encrypted passwords even though their
plaintext passwords are the same (otherwise, by looking in /etc/passwd,
joey could see that fred has the same password as him).

- Later, joey logs in and types "banana".
- System looks joey up in /etc/passwd, and gets salt (xY) from his
password
- runs encryption: xY + banana ==> xZyxcvbnm - password checks!

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 



>
>----------------------
>- Mike Scott
>- mscott@pyewacket.org
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange.
This e-mail is of a private and personal nature. It is not related to
the exchange or business activities of the SWX Swiss Exchange. Le
présent e-mail est un message privé et personnel, sans rapport avec
l'activité boursière de la SWX Swiss Exchange.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message