0

I try to check password using pgcrypt

I can only use two methods (database limitation)

  • HtPasswdHashMethod
  • HtDigestHashMethod

I can use the first method:

SELECT crypt('mypass',value)=value FROM passwords where person=1

but I have to change the method into second one - HtDigestHashMethod

In datatabase passwords looks like (changed - not real one):

first method: uXifOBs5A0l6w
second method: myrealm:8f24d836943973c5c3e47bd909080b49

how to check password with myrealm

Tomasz Brzezina
  • 1,452
  • 5
  • 21
  • 44
  • You need to use a password hash method, not a digest. When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Better yet use a function such as `PBKDF2`, `Rfc2898DeriveBytes`, `password_hash`, `Bcrypt`, `passlib.hash` or similar functions. The point is to make the attacker spend a substantial of time finding passwords by brute force. – zaph Oct 22 '17 at 23:09
  • You will need to handle creating and testing a password verifier outside of the DB. – zaph Oct 22 '17 at 23:13

1 Answers1

-1

The solution:

You have to create hash like this:

md5('User Name:myrealm:mypass')

so my phpcode looks like:

$sqlQuery="SELECT 'myrealm:'".md5('$username:myrealm:$password')."'=value FROM passwords WHERE person=1";
Tomasz Brzezina
  • 1,452
  • 5
  • 21
  • 44
  • **Do not do this**, MD5 is **not secure** for a password vefrifier! When saving a password verifier just using a hash function is not sufficient. – zaph Oct 22 '17 at 23:09
  • This question wasn't about which encode is more secure, but how to check pass which is already hashed. Apache2 uses this two methods and can't use other. – Tomasz Brzezina Oct 23 '17 at 21:08
  • True, but I thought it was about security and a secure system since it was about passwords. My mistake. – zaph Oct 23 '17 at 21:47