Em 31/07/2010 18:51, Patrick Westenberg escreveu:
Leonardo Rodrigues schrieb:
that's all because i already have a account manager system,
written on PHP, which i had to kept. So i was trying to understand how that's work to make it work on my system i couldnt stop using.
but after some tryings i got everything running. All my passwords
were already migrated from plaintext to Salted-SHA2-256.
Hi Leonardo,
can you tell me how you solved your problem with creating salted passwords via PHP?
Hi .... yes i've acchieved some PHP routines for creating the
salted SHA256 password with random salt and also comparing a stored hashed password with a plaintext supplied one.
encoded passwords will be exited as:
{SSHA256.HEX}acf5ce0f51cca2077e27884a7cec385c430bb402c2f961b02bfa779c18aaf9a373772d99
encoded password strings is 85-char length with the SSHA.256 prefix and 72 without it
as i'm storing passwords with the SSHA256.HEX prefix, my dovecot
conf has:
default_pass_scheme = PLAIN
so i can have any dovecot-supported encoded password on the
database as well as plaintext ones
code may not be very beautiful, i do admit that i'm not good on
making beautiful codes .... but its working nice in several places :)
the VerifyHashedPassword routine can receive passwords with the
{SSHA256.HEX} string and without as well. That makes easier to just compare database stored passwords as well as the newly generated ones to compare with newly encoded ones based on the plaintext supplied.
usage is pretty simple .... something like:
$hashedpwd = HashedPassword($plainpwd); and store $hashedpwd whatever you want to store it
checking the stored password against a supplied password would be
something like:
if ( VerifyHashedPassword($hashedpwd,$plainpwd) ) { // supplied plaintext password MATCH with supplied hashed password do whatever you want if passwords matches } else { // supplied plaintext password DO NOT MATCH with supplied hashed password do whatever you want if passwords DO NOT match }
Hope this helps you :)
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it