Re: [qmailadmin] Password encryption
On Dec 11, 2004, at 7:02 PM, [EMAIL PROTECTED] wrote: So what happens when I try to authenticate to the db? If I get the crypted password and do a query such as: SELECT * FROM table WHERE user = 'user' AND password = 'encryptedpassword' It would obviously not work since it tries to do an exact match correct? Get the user record from the database. Call crypt() using the encrypted password as the salt, and the user-provided password as the password. Compare the result of crypt() with the encrypted password from the database to see if it's a match. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [qmailadmin] Password encryption
Try passing the entire encrypted password to the crypt function. This should use the same first hash and produce the same encrypted string. in php this is done using crypt(encryptme, salt) [EMAIL PROTECTED] wrote: On Dec 10, 2004, at 5:24 PM, [EMAIL PROTECTED] wrote: Thanks for the reply, the problem though is if you crypt the current password it does not turn out like the encrypted password above. I get different results when using the function from the link you provided. This is the password I get when I encrypt the same password in the original email: $1$34201110$1qOlP6BW44jKvA66l7q7F0 and if I refresh it: $1$20202818$O9l6HCdGD19SqriwI8F4k0 That's expected. The first 11 (or so) characters are random data called the salt. The actual password (encoded using the salt) appears after the salt. This is done to make it more difficult to build a dictionary of encrypted passwords. Any given cleartext password can have a large number of possible encrypted versions. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/ Hmm this is strange, but logging in via webmail with the old password worked until I logged in with my new password. Now new password works and old password doesnt. Could be caching connection, dunno if imapproxy could be the culprit. Thanks for the feedback. Seems to be working! Robert
Re: [qmailadmin] Password encryption
On Dec 10, 2004, at 5:24 PM, [EMAIL PROTECTED] wrote: Thanks for the reply, the problem though is if you crypt the current password it does not turn out like the encrypted password above. I get different results when using the function from the link you provided. This is the password I get when I encrypt the same password in the original email: $1$34201110$1qOlP6BW44jKvA66l7q7F0 and if I refresh it: $1$20202818$O9l6HCdGD19SqriwI8F4k0 That's expected. The first 11 (or so) characters are random data called the salt. The actual password (encoded using the salt) appears after the salt. This is done to make it more difficult to build a dictionary of encrypted passwords. Any given cleartext password can have a large number of possible encrypted versions. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/ So what happens when I try to authenticate to the db? If I get the crypted password and do a query such as: SELECT * FROM table WHERE user = 'user' AND password = 'encryptedpassword' It would obviously not work since it tries to do an exact match correct? Robert
[qmailadmin] Password encryption
I am still unable to determine how my mail server is encrypting passwords. An example encrypted password is: $1$AaAkCUIr$tq.YJ2hHJDQ56Zbgg83eh1 I need to be able to query the mysql db to authenticate the user via the encrypted password above. Please help Thanks Robert
Re: [qmailadmin] Password encryption
- Original Message - From: [EMAIL PROTECTED] I am still unable to determine how my mail server is encrypting passwords. An example encrypted password is: $1$AaAkCUIr$tq.YJ2hHJDQ56Zbgg83eh1 I need to be able to query the mysql db to authenticate the user via the encrypted password above. Please help I have compiled some information on this subject here : http://www.pipeline.com.au/staff/mbowe/isp/webmail-server.htm#CREATE_MAILBOX_VIA_SQL Michael.
Re: [qmailadmin] Password encryption
On Friday 10 December 2004 07:24 pm, [EMAIL PROTECTED] wrote: Thanks for the reply, the problem though is if you crypt the current password it does not turn out like the encrypted password above. I get different results when using the function from the link you provided. This is the password I get when I encrypt the same password in the original email: $1$34201110$1qOlP6BW44jKvA66l7q7F0 and if I refresh it: $1$20202818$O9l6HCdGD19SqriwI8F4k0 right, it uses a different randomly generated hash to encrypt the password with, that way passwords that are the same do not have the same encrypted value. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED] pgpbBOWpkU6fS.pgp Description: PGP signature
Re: [qmailadmin] Password encryption
Hmm. Interesting, I changed the password in mysql and the old password still works. I even made it blank, it still authenticates me correctly. Every account I create shows up in mysql table, am I doing something wrong? Do I have to update password in 2 places? Robert Thanks for the reply, the problem though is if you crypt the current password it does not turn out like the encrypted password above. I get different results when using the function from the link you provided. This is the password I get when I encrypt the same password in the original email: $1$34201110$1qOlP6BW44jKvA66l7q7F0 and if I refresh it: $1$20202818$O9l6HCdGD19SqriwI8F4k0 Any ideas? Thanks Robert - Original Message - From: [EMAIL PROTECTED] I am still unable to determine how my mail server is encrypting passwords. An example encrypted password is: $1$AaAkCUIr$tq.YJ2hHJDQ56Zbgg83eh1 I need to be able to query the mysql db to authenticate the user via the encrypted password above. Please help I have compiled some information on this subject here : http://www.pipeline.com.au/staff/mbowe/isp/webmail-server.htm#CREATE_MAILBOX_VIA_SQL Michael.
Re: [qmailadmin] Password encryption
[EMAIL PROTECTED] wrote: I am still unable to determine how my mail server is encrypting passwords. An example encrypted password is: $1$AaAkCUIr$tq.YJ2hHJDQ56Zbgg83eh1 I need to be able to query the mysql db to authenticate the user via the encrypted password above. Please help crypt() with md5
Re: [qmailadmin] Password encryption
On Dec 10, 2004, at 5:24 PM, [EMAIL PROTECTED] wrote: Thanks for the reply, the problem though is if you crypt the current password it does not turn out like the encrypted password above. I get different results when using the function from the link you provided. This is the password I get when I encrypt the same password in the original email: $1$34201110$1qOlP6BW44jKvA66l7q7F0 and if I refresh it: $1$20202818$O9l6HCdGD19SqriwI8F4k0 That's expected. The first 11 (or so) characters are random data called the salt. The actual password (encoded using the salt) appears after the salt. This is done to make it more difficult to build a dictionary of encrypted passwords. Any given cleartext password can have a large number of possible encrypted versions. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
[qmailadmin] Password encryption
When you add an account in qmailadmin, it enters it into a mysql db since I setup vpopmail to do this. My question is what encryption does it use in the mysql db for the password? Thanks Robert
Re: [qmailadmin] Password encryption
On Wednesday 27 October 2004 05:40 pm, Robert Bartlett wrote: When you add an account in qmailadmin, it enters it into a mysql db since I setup vpopmail to do this. My question is what encryption does it use in the mysql db for the password? the encryption that vpopmail uses. I believe this is crypt() by default, so whatever your operating system's crypt() function can handle. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ scriptkitchen.com/kitchen.asc pgpwm2Bb1a4U5.pgp Description: PGP signature
Re: [qmailadmin] Password encryption
So if I called it via a php script I would use php function crypt? Or would I use encrypt in the mysql call? Robert On Wednesday 27 October 2004 05:40 pm, Robert Bartlett wrote: When you add an account in qmailadmin, it enters it into a mysql db since I setup vpopmail to do this. My question is what encryption does it use in the mysql db for the password? the encryption that vpopmail uses. I believe this is crypt() by default, so whatever your operating system's crypt() function can handle. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ scriptkitchen.com/kitchen.asc
