Re: [Dovecot] salted passwords

1 Aug 2010


      Em 31/07/2010 18:51, Patrick Westenberg escreveu:
...
Leonardo Rodrigues schrieb:
...
that's all because i already have a account manager system, 
written on PHP, which i had to kept. So i was trying to understand
how that's work to make it work on my system i couldnt stop using.
but after some tryings i got everything running. All my passwords 
were already migrated from plaintext to Salted-SHA2-256.
Hi Leonardo,
can you tell me how you solved your problem with creating salted
passwords via PHP?
 Hi .... yes i've acchieved some PHP routines for creating the 
salted SHA256 password with random salt and also comparing a stored
hashed password with a plaintext supplied one.
encoded passwords will be exited as:
{SSHA256.HEX}acf5ce0f51cca2077e27884a7cec385c430bb402c2f961b02bfa779c18aaf9a373772d99
encoded password strings is 85-char length with the SSHA.256 prefix and
72 without it
 as i'm storing passwords with the SSHA256.HEX prefix, my dovecot 
conf has:
default_pass_scheme = PLAIN
 so i can have any dovecot-supported encoded password on the 
database as well as plaintext ones
 code may not be very beautiful, i do admit that i'm not good on 
making beautiful codes .... but its working nice in several places :)
http://pastebin.com/fzDGE561
 the VerifyHashedPassword routine can receive passwords with the 
{SSHA256.HEX} string and without as well. That makes easier to just
compare database stored passwords as well as the newly generated ones to
compare with newly encoded ones based on the plaintext supplied.
 usage is pretty simple .... something like:
$hashedpwd = HashedPassword($plainpwd);
and store $hashedpwd whatever you want to store it
 checking the stored password against a supplied password would be 
something like:
if ( VerifyHashedPassword($hashedpwd,$plainpwd) )
{
// supplied plaintext password MATCH with supplied hashed password
do whatever you want if passwords matches
} else {
// supplied plaintext password DO NOT MATCH with supplied hashed
password
do whatever you want if passwords DO NOT match
}
 Hope this helps you :)
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it

Leonardo Rodrigues

tags

participants (1)