Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to validate a plaintext username/password against an existing .htpasswd file?

Posted on 2009-05-16
4
Medium Priority
?
415 Views
Last Modified: 2012-05-07
Hello experts,

I have an unusual question about an .htpasswd file. I've recently rebuilt a website on a LAMP box; the old site has a members area protected with .htaccess/.htpasswd. The new site uses a different method of access control. When the new site is launched, I want to make a special login area for the members of the old site where they can enter their username/password and receive a coupon code for a free month of access if they cancel their old membership and sign up again under the new system.

My problem is that I'm not sure how to do this. I thought it would be simple to take the username/password entered in the special login area and use the htpasswd program on the server to validate the combination. For example, let's say the person claiming to be an existing member gives this username/password combo:

mjcrls99
abc123

and let's say this line exists in the .htpasswd file:

mjcrls99:Um9Ykdtrljx1s

How can I verify that "Um9Ykdtrljx1s" does, or does not, represent "abc123"?

Does the htpasswd program use a one-way hash to produce its encrypted password? If so, there must be a hash key on the system somewhere that I could use on the user-supplied password to produce an encrypted string that could be compared to the one for that user in the .htpasswd file.

If I can't use the htpasswd program on apache for this, what else can I do? This must have a simple solution somehow.

If you can help, I'd really appreciate it!

Thank you,
Utzi
0
Comment
Question by:utzi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 11

Accepted Solution

by:
Todd Mummert earned 2000 total points
ID: 24403583

assuming this is unix

use crypt

man 3 crypt

the first two characters of the .htpasswd password are the salt for the 2nd argument of crypt.

So pass the plaintext password and the salt to crypt() and check against htpasswd
0
 

Author Comment

by:utzi
ID: 24403593
Thanks for your reply! I'll try that and post what I find... might be an hour before I can get to it.
0
 
LVL 11

Expert Comment

by:Todd Mummert
ID: 24403614

No problem.  I should have mentioned that many languages (perl, php)  have a simliarly named crypt function that takes the same type of arguments.
0
 

Author Closing Comment

by:utzi
ID: 31623708
Excellent... I just used PHP's crypt() to do this and it works as desired.  I didn't even need to split off the first two chars for the salt. Thanks for the info!
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question