3

I'm working on a login system for a website that currently uses Apache's prompt box for login, and stores usernames/passwords in a file on the server (as opposed to a table in the database). I'm running into a problem here because the passwords are encrypted in a way I've never seen before. I was wondering if someone can recognize the encryption used here. Examples:

"budapest" translates to "$apr1$6awtpn87$1PzMKL1M4H6urlEil/z5m/" and "Mario" translates to "$apr1$zhadw0iq$r8plh8o.Jj.V34oJ1tjWV1"

All encrypted passwords have "$apr1" at the beginning, then 8 characters, then "$" and then 22 more characters. This gives 32 characters excluding the "$apr1" so I thought it might be some variation on md5 but I haven't worked with encryption much so I was hoping someone could give me a hand?

This is the content of the .htaccess file:

AuthType Basic AuthName "Site name here" AuthUserFile "path to password file here" require valid-user

robert
  • 811
  • 3
  • 16
  • 28

3 Answers3

6

It's an APR1-MD5 Hash. The documentation can be found at:

http://httpd.apache.org/docs/2.2/misc/password_encryptions.html

pulsar
  • 986
  • 1
  • 9
  • 22
Fox32
  • 13,126
  • 9
  • 50
  • 71
  • Thanks! But how do I get PHP to check whether the passwords are correct on login (since I see that this algorithm involves random strings)? – robert Jan 06 '12 at 10:54
  • See http://stackoverflow.com/questions/1038791/how-to-programmaticaly-build-an-apr1-md5-using-php – Hikaru-Shindo Jan 06 '12 at 10:54
  • Thank you. One thing though - the author of that script said 'It turns out I made a mistake and this function does in fact create working APR1 htpasswd entries. They do look different to the ones Apache creates but they do work.' I'd liek to have my script recognize the existing encryptions, not create new, different ones. Is that possible? – robert Jan 06 '12 at 11:00
  • Here is the C-source that apache uses: http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co – Fox32 Jan 06 '12 at 11:01
  • broken link: 2.2 docs here http://httpd.apache.org/docs/2.2/misc/password_encryptions.html – CoffeeMonster Jun 25 '13 at 21:58
0

If it stores the username/pass in a file, its probably some form of Basic Authentication. http://httpd.apache.org/docs/2.1/howto/auth.html http://httpd.apache.org/docs/1.3/howto/htaccess.html

Lennart
  • 1,018
  • 1
  • 12
  • 27
0

This is a password hash which is build the following way:

$algorythm$salt$hash

So this is the apache style apr1-md5 algorythm, then the 8byte random salt and then the actual hash of your password - using the salt.

See http://httpd.apache.org/docs/2.1/misc/password_encryptions.html for more information on the supported password hash/encryption methods in HTTP Basic Auth using apache httpd.

Hikaru-Shindo
  • 1,891
  • 12
  • 22