How to test a password crypt


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » System Level

How to test a password cryptLast Modified: Jul 11, 2016, 2:02 am
If you have a password crypt and are not sure if it's correct, and wish to test it manually, you can do so with php.
The way I do it is to type "php" and type in the script via stdinput (keyboard) and press ctrl-d to execute it, but if you're not comfortable, you can add the script to a file and pass the file to php (either via the shell or apache).

Assumptions:
1) the password in this example is
2) the salt for this crypt is (MD5)

I'll show the example in 2 steps, to show you first how the crypt is made, then how it's checked (they're essentially the same, with slight differences).  The bold text is the output generated by the script.

To generate a crypt for the password using the salt:

<?php
echo crypt('password1234','$1$asdf1234$');
?>

So we now have the crypt (in bold).  This is what is stored in your passwd or shadow files.

To verify if the password you're using is correct for this crypt, we repeat the similar code, passing the entire crypt (which gives the crypt() function the salt we're looking for, since the salt is part of the crypt, if you'll notice.   If the output of the crypt() funciton matches the stored crypt, then the password is correct.   If it does not match, you've got a wrong password.

<?php
echo crypt('password1234','$1$asdf1234$7amUjHHdQx2N3dPJsKgUg0');
?>

$1$asdf1234$7amUjHHdQx2N3dPJsKgUg0

Note how the crypt output from this script matches the crypt passed to the crypt() function.  This means the password is correct.   Note these are real/valid values, so you can try them yourself.

***NOTE*** it's very important to use single 'quotes' and *not* double "quotes" with the salt in the crypt() function.  This is because in php, with double "quotes", the salt would be treated as empty variables.. since $xx is a variable in php.  So with single 'quotes', the salt is treated exactly as you type it.  With double "quotes", the salt is treated as 3 variables:  $1, $asdf1234, and $whateverelse, which would basically give you an empty salt since chances are these are not filled with anything.


 
Related Helpfiles
My system is saving passwords in SHA-512 and DirectAdmin can't read them. I need MD5
Creating a MD5 crypt from the command line

2003 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST