Solved

prob with comparing passwords

Posted on 1998-06-23
22
171 Views
Last Modified: 2010-03-05
I have a person give a password.  The password is taken in encrypted and compared to a password in a file.  The expression i use to check if it matches is
if ($pass ne "$crypt") { &error("Passwords don't match");
My problem is that say my password is "bill" (without the quotes).  I enter that ,it gets encrypted, compared and sends back message saying "everything worked, done".  However if I enter "billasdjla" as my password it stills sends back message saying "everything worked"  I want it to compare the entire string to the entire string not just a part.  Thanks for the help.
0
Comment
Question by:idadan
  • 9
  • 9
  • 4
22 Comments
 
LVL 84

Expert Comment

by:ozo
ID: 1208118
crypt only uses the first 8 characters of the key
but where in your code are you compareing just part of "billasdjla"?

0
 
LVL 6

Expert Comment

by:alamo
ID: 1208119
I don't understand... the code you posted doesn't print the message "everything worked" at all. You need to show us the code that's failing, including the crypt.
0
 

Author Comment

by:idadan
ID: 1208120
Here is all the code.
      #get the variables
        $UserName = $INPUT{'UserName'};
      $Password = $INPUT{'Password'};
      #open the users file
        &UnlockFile("$member_dir$UserName.mem");
      #loop through choping each line
        foreach $line (@newlines) {
            chop ($line) if ($line =~ /\n$/);
      }      
      #assign these variables, $pass1 is the password
        ($pass1,$email,$loc,$ocu,$url,$inter) = @newlines;            #encrypt the password they gave
      $crytpass = crypt($Password, aa);
      #if the encrypted password in the file doesn't equal the password given, thats also encrypted
        if ($pass1 ne "$crytpass") {
               #print back error message
            &bad_piece("The password you entered doesn't match the one in the database.");
      }
Say the password is "bill" if i enter "bill" and other text like "billboy" it doesn't see anything wrong with that, if i enter say "dan" for the password it stops it fine and says doesn't match.  Whats wrong here?  Thanks.
0
 
LVL 6

Expert Comment

by:alamo
ID: 1208121
Are you sure your UnlockFile function is working? presumably it reads the file into @newlines. And are you sure crypt is working? It could be one or both are failing but the result strings of their failure match.

To debug, check the crypted values:  add

print "pass1=$pass1, crytpass=$crytpass\n";

after the crypt statement, and see if they look like real encrypted values or just junk.

And is "aa" (which is your seed) set elsewhere in the program?



0
 

Author Comment

by:idadan
ID: 1208122
Ok I made the debuggin and this is what it is giving me.  Lets say the password is billy  the encrypted password is (made up) aa.asddfjkel however when i enter billyasdfalk it comes back with aa.saddfijkel so basically its like not even looking past my password.  The actual password is 9 letters long that i'm using to debug.  I'm not sure if length matters but.  You know much about the encrypt function?  As far as it being set elsewhere in the program, i use aa it to encrypt everything, if thats what you mean, i'm not sure though,  thanks.
0
 
LVL 84

Expert Comment

by:ozo
ID: 1208123
crypt("billy","aa") is 'aaS2v5s7eIaLk'
crypt("billyasdfalk","aa") is 'aay9TBmf8fIKg'
which are different (and neither of which is 'aa.asddfjkel')
0
 

Author Comment

by:idadan
ID: 1208124
Right I made up the encrypted things just to show as example, but in my program it seeing billy and billyaklsdjf as the same. Its like its seeing billy and nothing else in the second one.  I gave the code i'm using.  Any ideas?
0
 
LVL 84

Expert Comment

by:ozo
ID: 1208125
When your program evaluates crypt("billy","aa"), and crypt("billyasdfalk","aa") are you getting the proper values?
If not, what values is it giving you?
Are you really passing crypt the $Password you think you are?
0
 
LVL 6

Expert Comment

by:alamo
ID: 1208126
When you print $Password is it the entered password? Sounds like it may not be checking the string that you think it is.
0
 

Author Comment

by:idadan
ID: 1208127
Here is the value i'm getting, remember i'm not actually using billy but...
aa.zAnzAJXdV6  I had it print to the browser the password it gets from the file, the password they gave (encrypted) and the password they gave (unencrypted).  The password from file was the usual, the password i gave unencrypted was fine "billydafs" but the encrypted thing was the same as billy (encrypted).  I'm so confused.  I just want to encrypt a password and be able to check it.

0
 
LVL 84

Expert Comment

by:ozo
ID: 1208128
crypt("billy","aa") is 'aaS2v5s7eIaLk'
if you're getting 'aa.zAnzAJXdV6', your crypt, or your test, is broken.
crypt("billydafs","aa") is 'aaa9huR9YWHI.'
('aaS2v5s7eIaLk' ne 'aaa9huR9YWHI.') should be true.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:idadan
ID: 1208129
Ok one last time, billy is not the actual phase i'm using.  The word i'm testing is the password that i always use, to this account to my site etc. so i'm not going to say the actual phrase i'm using but I think you can get an idea of my problem from what is going on.  thanks.  Anymore questions just post.
0
 
LVL 84

Expert Comment

by:ozo
ID: 1208130
BTW, crypt("billydaf","aa") is also 'aaa9huR9YWHI.', since as I said in the beginning, crypt only uses the first 8 characters.
0
 
LVL 6

Expert Comment

by:alamo
ID: 1208131
Perhaps crypt is broken on your system, as unlikely as it seems.

Just as a test, add the lines

print "billy is ",crypt("billy","aa"),"\n";
print "billydaf is ",crypt("billydafs","aa"),"\n";

and see if it produces the same values as ozo posted. I tried it here and got the same values as he did.
0
 
LVL 84

Expert Comment

by:ozo
ID: 1208132
Also, crypt("billy\0daf","aa") and crypt("billy","aa") both produce 'aaS2v5s7eIaLk',
since crypt, being a C function considers a null character to be a string terminator.
0
 

Author Comment

by:idadan
ID: 1208133
Wait, so crypt only encrypts the first 8 characters of the string?  I thought you meant it only uses the first 8 letters for the key like aaaaaaaa instead of aa.  I guess that solves the problem.  I'll just make the password 8 chars long.  Thanks for all your help and patience both of you, however ozo did answer my question.  Thanks again.
0
 
LVL 84

Expert Comment

by:ozo
ID: 1208134
crypt($key,$salt) uses the first 8 characters of $key, and the first 2 characters of $salt,
this is why you can say
print "password matched " if( crypt($password,$crytpass) eq $crytpass )
0
 

Author Comment

by:idadan
ID: 1208135
Yeah so if I use my same crypt formula crypt($password,"aa") and make sure they can only have passwords of 8 characters i'm set right?  Thanks.
0
 
LVL 84

Expert Comment

by:ozo
ID: 1208136
You can try that.  If you do have more than 8 characters, only the first 8 will be significant to crypt.
Or you may want to hash longer passwords into 8 characters (being carefull about "\0")
Or break it up into 8 character segments and crypt each piece.

By The Way, your
  $pass1 ne "$crytpass"
might have been more clearly written as
  $pass1 ne $crytpass
and your
  foreach $line ( @newlines ){ chop ($line) if( $line =~ /\n$/ ) }
might have been done simply as
  chomp @newlines;
0
 

Author Comment

by:idadan
ID: 1208137
Great thanks a lot.  You're always a huge help.  Could you submit your answer so i can grade, I leave for europe tommorow so i want to make sure to give points before i go away for 3 weeks.  Thanks again.
0
 
LVL 84

Accepted Solution

by:
ozo earned 50 total points
ID: 1208138
crypt($key,$salt) uses the first 8 characters of $key, and the first 2 characters of $salt
0
 

Author Comment

by:idadan
ID: 1208139
Thanks again.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

On Microsoft Windows, if  when you click or type the name of a .pl file, you get an error "is not recognized as an internal or external command, operable program or batch file", then this means you do not have the .pl file extension associated with …
Email validation in proper way is  very important validation required in any web pages. This code is self explainable except that Regular Expression which I used for pattern matching. I originally published as a thread on my website : http://www…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now