Re: PHP: issues managing the password, what is wrong?

[Jonathan Clarke <jonathan@phillipoux.net>]

On 30/09/2009 07:43, Zdenek Styblik wrote:
> Hello,
>
> Alberto Moreno wrote:
> ...
> >    My current problem is with the password, I have found small app that
> > wants to compare the input of the password vs the ldap password this
> > will let us identify the user.
>
> As Dieter already said, wrong. Authenticate directly with provided
> credentials, or use "proxy" user to search for uid resp. DN, then try to
> authenticate against it with provided credentials.

Absolutely. You'll find an open source example of this in PHP here
(I'm sure there are many on the web, this one came to hand)
> http://tools.ltb-project.org/repositories/entry/ltb/self-service-password/trunk/index.php#L50
(lines 50 to 92)


> >    Well searching aroun, I found the crypt function but there is a
> > thing that I don't like it:
> >
> > "The standard DES-based encryption crypt() returns the salt as the
> > first two characters of the output. It also only uses the first eight
> > characters of str , so longer strings that start with the same eight
> > characters will generate the same result (when the same salt is used)"
> >
> >   How can I deal with this note: 8 characters only?
>
> I believe this is broken, or obsolete. I'm using Perl port of Unix
> crypt() function, and it works just fine for "any" password lengths.
> 8 characters limitation sounds like - history :)

Actually crypt() is system-dependant. Different *nixes implement it 
differently. Many implementations accept passwords of any length, but 
only use the first 8 characters to create the hash. As a result, using 
crypt passwords is insecure and un-portable.

So, yes, it sounds like history, but that's crypt for you :)

Regards,
Jonathan