Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 185
  • Last Modified:

prob with comparing passwords

I have a person give a password.  The password is taken in encrypted and compared to a password in a file.  The expression i use to check if it matches is
if ($pass ne "$crypt") { &error("Passwords don't match");
My problem is that say my password is "bill" (without the quotes).  I enter that ,it gets encrypted, compared and sends back message saying "everything worked, done".  However if I enter "billasdjla" as my password it stills sends back message saying "everything worked"  I want it to compare the entire string to the entire string not just a part.  Thanks for the help.
0
idadan
Asked:
idadan
  • 9
  • 9
  • 4
1 Solution
 
ozoCommented:
crypt only uses the first 8 characters of the key
but where in your code are you compareing just part of "billasdjla"?

0
 
alamoCommented:
I don't understand... the code you posted doesn't print the message "everything worked" at all. You need to show us the code that's failing, including the crypt.
0
 
idadanAuthor Commented:
Here is all the code.
      #get the variables
        $UserName = $INPUT{'UserName'};
      $Password = $INPUT{'Password'};
      #open the users file
        &UnlockFile("$member_dir$UserName.mem");
      #loop through choping each line
        foreach $line (@newlines) {
            chop ($line) if ($line =~ /\n$/);
      }      
      #assign these variables, $pass1 is the password
        ($pass1,$email,$loc,$ocu,$url,$inter) = @newlines;            #encrypt the password they gave
      $crytpass = crypt($Password, aa);
      #if the encrypted password in the file doesn't equal the password given, thats also encrypted
        if ($pass1 ne "$crytpass") {
               #print back error message
            &bad_piece("The password you entered doesn't match the one in the database.");
      }
Say the password is "bill" if i enter "bill" and other text like "billboy" it doesn't see anything wrong with that, if i enter say "dan" for the password it stops it fine and says doesn't match.  Whats wrong here?  Thanks.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
alamoCommented:
Are you sure your UnlockFile function is working? presumably it reads the file into @newlines. And are you sure crypt is working? It could be one or both are failing but the result strings of their failure match.

To debug, check the crypted values:  add

print "pass1=$pass1, crytpass=$crytpass\n";

after the crypt statement, and see if they look like real encrypted values or just junk.

And is "aa" (which is your seed) set elsewhere in the program?



0
 
idadanAuthor Commented:
Ok I made the debuggin and this is what it is giving me.  Lets say the password is billy  the encrypted password is (made up) aa.asddfjkel however when i enter billyasdfalk it comes back with aa.saddfijkel so basically its like not even looking past my password.  The actual password is 9 letters long that i'm using to debug.  I'm not sure if length matters but.  You know much about the encrypt function?  As far as it being set elsewhere in the program, i use aa it to encrypt everything, if thats what you mean, i'm not sure though,  thanks.
0
 
ozoCommented:
crypt("billy","aa") is 'aaS2v5s7eIaLk'
crypt("billyasdfalk","aa") is 'aay9TBmf8fIKg'
which are different (and neither of which is 'aa.asddfjkel')
0
 
idadanAuthor Commented:
Right I made up the encrypted things just to show as example, but in my program it seeing billy and billyaklsdjf as the same. Its like its seeing billy and nothing else in the second one.  I gave the code i'm using.  Any ideas?
0
 
ozoCommented:
When your program evaluates crypt("billy","aa"), and crypt("billyasdfalk","aa") are you getting the proper values?
If not, what values is it giving you?
Are you really passing crypt the $Password you think you are?
0
 
alamoCommented:
When you print $Password is it the entered password? Sounds like it may not be checking the string that you think it is.
0
 
idadanAuthor Commented:
Here is the value i'm getting, remember i'm not actually using billy but...
aa.zAnzAJXdV6  I had it print to the browser the password it gets from the file, the password they gave (encrypted) and the password they gave (unencrypted).  The password from file was the usual, the password i gave unencrypted was fine "billydafs" but the encrypted thing was the same as billy (encrypted).  I'm so confused.  I just want to encrypt a password and be able to check it.

0
 
ozoCommented:
crypt("billy","aa") is 'aaS2v5s7eIaLk'
if you're getting 'aa.zAnzAJXdV6', your crypt, or your test, is broken.
crypt("billydafs","aa") is 'aaa9huR9YWHI.'
('aaS2v5s7eIaLk' ne 'aaa9huR9YWHI.') should be true.
0
 
idadanAuthor Commented:
Ok one last time, billy is not the actual phase i'm using.  The word i'm testing is the password that i always use, to this account to my site etc. so i'm not going to say the actual phrase i'm using but I think you can get an idea of my problem from what is going on.  thanks.  Anymore questions just post.
0
 
ozoCommented:
BTW, crypt("billydaf","aa") is also 'aaa9huR9YWHI.', since as I said in the beginning, crypt only uses the first 8 characters.
0
 
alamoCommented:
Perhaps crypt is broken on your system, as unlikely as it seems.

Just as a test, add the lines

print "billy is ",crypt("billy","aa"),"\n";
print "billydaf is ",crypt("billydafs","aa"),"\n";

and see if it produces the same values as ozo posted. I tried it here and got the same values as he did.
0
 
ozoCommented:
Also, crypt("billy\0daf","aa") and crypt("billy","aa") both produce 'aaS2v5s7eIaLk',
since crypt, being a C function considers a null character to be a string terminator.
0
 
idadanAuthor Commented:
Wait, so crypt only encrypts the first 8 characters of the string?  I thought you meant it only uses the first 8 letters for the key like aaaaaaaa instead of aa.  I guess that solves the problem.  I'll just make the password 8 chars long.  Thanks for all your help and patience both of you, however ozo did answer my question.  Thanks again.
0
 
ozoCommented:
crypt($key,$salt) uses the first 8 characters of $key, and the first 2 characters of $salt,
this is why you can say
print "password matched " if( crypt($password,$crytpass) eq $crytpass )
0
 
idadanAuthor Commented:
Yeah so if I use my same crypt formula crypt($password,"aa") and make sure they can only have passwords of 8 characters i'm set right?  Thanks.
0
 
ozoCommented:
You can try that.  If you do have more than 8 characters, only the first 8 will be significant to crypt.
Or you may want to hash longer passwords into 8 characters (being carefull about "\0")
Or break it up into 8 character segments and crypt each piece.

By The Way, your
  $pass1 ne "$crytpass"
might have been more clearly written as
  $pass1 ne $crytpass
and your
  foreach $line ( @newlines ){ chop ($line) if( $line =~ /\n$/ ) }
might have been done simply as
  chomp @newlines;
0
 
idadanAuthor Commented:
Great thanks a lot.  You're always a huge help.  Could you submit your answer so i can grade, I leave for europe tommorow so i want to make sure to give points before i go away for 3 weeks.  Thanks again.
0
 
ozoCommented:
crypt($key,$salt) uses the first 8 characters of $key, and the first 2 characters of $salt
0
 
idadanAuthor Commented:
Thanks again.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 9
  • 9
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now