[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PHP: issues managing the password, what is wrong?

On 30/09/2009 07:43, Zdenek Styblik wrote:

Alberto Moreno wrote:

   My current problem is with the password, I have found small app that
wants to compare the input of the password vs the ldap password this
will let us identify the user.

As Dieter already said, wrong. Authenticate directly with provided
credentials, or use "proxy" user to search for uid resp. DN, then try to
authenticate against it with provided credentials.

Absolutely. You'll find an open source example of this in PHP here
(I'm sure there are many on the web, this one came to hand)
(lines 50 to 92)

   Well searching aroun, I found the crypt function but there is a
thing that I don't like it:

"The standard DES-based encryption crypt() returns the salt as the
first two characters of the output. It also only uses the first eight
characters of str , so longer strings that start with the same eight
characters will generate the same result (when the same salt is used)"

  How can I deal with this note: 8 characters only?

I believe this is broken, or obsolete. I'm using Perl port of Unix
crypt() function, and it works just fine for "any" password lengths.
8 characters limitation sounds like - history :)

Actually crypt() is system-dependant. Different *nixes implement it differently. Many implementations accept passwords of any length, but only use the first 8 characters to create the hash. As a result, using crypt passwords is insecure and un-portable.

So, yes, it sounds like history, but that's crypt for you :)