Solved

How to validate a plaintext username/password against an existing .htpasswd file?

Posted on 2009-05-16
4
408 Views
Last Modified: 2012-05-07
Hello experts,

I have an unusual question about an .htpasswd file. I've recently rebuilt a website on a LAMP box; the old site has a members area protected with .htaccess/.htpasswd. The new site uses a different method of access control. When the new site is launched, I want to make a special login area for the members of the old site where they can enter their username/password and receive a coupon code for a free month of access if they cancel their old membership and sign up again under the new system.

My problem is that I'm not sure how to do this. I thought it would be simple to take the username/password entered in the special login area and use the htpasswd program on the server to validate the combination. For example, let's say the person claiming to be an existing member gives this username/password combo:

mjcrls99
abc123

and let's say this line exists in the .htpasswd file:

mjcrls99:Um9Ykdtrljx1s

How can I verify that "Um9Ykdtrljx1s" does, or does not, represent "abc123"?

Does the htpasswd program use a one-way hash to produce its encrypted password? If so, there must be a hash key on the system somewhere that I could use on the user-supplied password to produce an encrypted string that could be compared to the one for that user in the .htpasswd file.

If I can't use the htpasswd program on apache for this, what else can I do? This must have a simple solution somehow.

If you can help, I'd really appreciate it!

Thank you,
Utzi
0
Comment
Question by:utzi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 11

Accepted Solution

by:
climbgunks earned 500 total points
ID: 24403583

assuming this is unix

use crypt

man 3 crypt

the first two characters of the .htpasswd password are the salt for the 2nd argument of crypt.

So pass the plaintext password and the salt to crypt() and check against htpasswd
0
 

Author Comment

by:utzi
ID: 24403593
Thanks for your reply! I'll try that and post what I find... might be an hour before I can get to it.
0
 
LVL 11

Expert Comment

by:climbgunks
ID: 24403614

No problem.  I should have mentioned that many languages (perl, php)  have a simliarly named crypt function that takes the same type of arguments.
0
 

Author Closing Comment

by:utzi
ID: 31623708
Excellent... I just used PHP's crypt() to do this and it works as desired.  I didn't even need to split off the first two chars for the salt. Thanks for the info!
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question