Md5 Encrypt Or What?

[virak]

Dear all,Who can answer me about the Encrypt text?* I use joomla 1.5.0 jos_users tableMy passwd is: admin123Encrypts: eef8c05fd1e9f22cb0e976a13b6c5c8a:CJ4W2DoIKCtMQ1UmsD1aTzpTkdzeeh4BI am wonder what kind of encrypts method they r using?I tried with MD5("admin123") the result not the same encrypt above.I tried with hash("admin123") the result not the same encrypt above.So, what kind encrypt method they r using?Thanks & Regards,Virak

[smerny]

sha1?

[jeffman]

Whatever it is, it looks like it happens twice, which each result on each side of the colon. Could be MD5, which returns a 32 byte hash. What they might do is "salt" the original (add some extra characters) once, then do it again with different salt.What could it matter? Just curious?

[justsomeguy]

The code to build that hash is in their login code somewhere if you can find it.

[Synook]

https://secure.phil-taylor.com/generate_password.phps

[virak]

Dear all,I am really happy that u show me the way.Thanks so much for your ideaRegards,Virak

[virak]

Dear Synook,I try to code with your link that u gave to me, it's very cool for me.I can do it to insert that md5 and salt to my db, but i got problem when I login.I mean can not login, bcoz when i register passwd: admin123 it's randome and when i use passwd: admin123 it's random to other 1.So, i can not do login with admin123 :)any idear? please guide me how to login?Thank^s & Regards,Virak

[justsomeguy]

How are you logging in? You shouldn't create anything random when logging in, only check the database.

[virak]

Dear justsomeguy,I am sorry, I still not understand your advice.Could you please give me any hints?Your help is realy appreciate.Many thanks & regards,Virak

[justsomeguy]

I wasn't giving advice, I was asking a question. How are you logging in? What code are you using to log in?

[virak]

Dear Justsomeguy,Sorry reply you late:Here is my code.

<?php$username = $_POST["username"];function genRandomPassword($length = 32){	$salt = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";	$len = strlen($salt);    $makepass = '';	mt_srand(10000000 * (double) microtime());    for ($i = 0; $i < $length; $i ++)	{		$makepass .= $salt[mt_rand(0, $len -1)];	}	return $makepass;}if ($_POST['password']){	if ( strlen($_POST['password']) > 100 )	{		$_POST['password'] = substr( $_POST['password'], 0, 100 );	}	$salt = genRandomPassword();	$password = md5(stripslashes($_POST['password']).$salt) .':'.$salt;	//Insert USER into database	$query = mysql_query("SELECT * FROM jos_users WHERE username='$username' AND block=0");	$pwd_sql = mysql_fetch_array($query);	$cpasswd = $pwd_sql["password"];	if($password = $cpasswd)	{		echo "Logged in successfully.";		header("Location: admin/index.php");	}}?>

Regards,Virak

[justsomeguy]

Right, so it looks like you're generating a new random password to check against the database, that's not the right thing to do. You should select both the username and password from the database, and then you need to split up the password to get the salt, and create the password the same way using the salt from the database with the password they typed in. This is how the database password gets built:md5(stripslashes($_POST['pw']).$salt) .':'.$saltSo the data after the colon is the salt. So you need to get the password from the database, get everything after the colon to use as the salt, and then build the password the same way using the same salt with the password they entered. If the result is the same as what is stored in the database then they entered the same password.Also, this line is incorrect:if($password = $cpasswd)You need to use == to compare, not =.