Forum Moderators: phranque
I am pretty new to htaccess, and have a quick question. In the .htpasswd file, do the encrypted passwords appear totally random? For example, my password file looks like this:
Jill1:45GOgE.e5n/AQ
Jill2:kFNaFtSX26m4Q
This is despite the fact that both passwords are actually the same word -- "test". Is it to be expected that the same string would appear different each time it is encrypted by the program?
Any help is appreciated!
Thanks in advance,
Jill
Jill
but I'm sure you know the answer to my apache-newbie question:
- How do I calculate a new password, using e.g. php
- How can I check if a password is correct (without using a browser, of course)
Thanks, nerd.
There's no one way to create a password hash. The easiest way is using md5 [ca3.php.net]. Basically, you take what they enter in on the password form on account creation (or however your system is going to work), create an MD5 hash of that password, and store the hash.
So, say my password is "password". I run it through MD5, and I get "286755fad04869ca523320acce0dc6a4". I store that in my DB.
Then, to verify if someone entered the right password, I would do almost the same thing. I md5 what they entered, and compare the result to the stored md5 string.
You CANNOT derive the password from the hash. They are considered "one-way hashes". The way that the password is broken is by brute force, mostly. Suppose someone had read access to your DB, they would run through a dictionary, and word generator and encrypt each of those with MD5, and compare them (same as your legit function does).
For more info, look at [en.wikipedia.org ] and [en.wikipedia.org ].
If you want a specific PHP implementation, I'm sure there's tonnes around, and some examples in the PHP forum.
perldoc -f crypt
