-----BEGIN PGP SIGNED MESSAGE----- On Thu, 4 Apr 1996, Eric Eden wrote:
I'm testing a encryption program that includes use of crypt(). (I know its not the strongest scheme.) Here's the problem:
We ask users to e-mail us an encrypted password derived form the crypt() utility when they set up an account. When they want to change information related to the account, we ask them to e-mail the cleartext of the encrypted password. The program then checks to see if the cleartext matches the original encrypted password. If so, their information is automatically updated.
The only problem is when users mistakenly supply cleartext initially, they can never update their information because the program isn't smart enough to realize that the user was submitting cleartext instead of an encrypted password when setting up their account.
Is there any way to check and see if the text the user supplies initially has been encrypted or is cleartext?
The only way I can think of is if the text that the user supplies is not 13 characters long and contains characters not used in crypt(3) base64 encoding, then the text is definitely not a hashed password. This would catch nearly all cleartext passwords, although there is a little room for error. FYI, the characters used for base64 encoding are [0-9],[A-Z],[a-z],'/', and '.'. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm@voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMWRTIbZc+sv5siulAQGf3AP+LfrlTrpvQgFju2k5yOyUTAxHDGxjHWFg 9M32OU1/Lsj9DtVk/WJBqBmy3SfHJ0ZdppZlxsrT4eywTUaqeg+dOxrQ/WPMPz8c smNykbfmVvzdiwFn4pQJ4/mPiSzFOSz3vshgMnZHzum6SpQ1+Hd4WYPD0Qcsc83q 5SKrfDRfVSs= =IgUR -----END PGP SIGNATURE-----