Em 31/07/2010 18:51, Patrick Westenberg escreveu:
Leonardo Rodrigues schrieb:

that's all because i already have a account manager system, written on PHP, which i had to kept. So i was trying to understand how that's work to make it work on my system i couldnt stop using.

but after some tryings i got everything running. All my passwords were already migrated from plaintext to Salted-SHA2-256.

Hi Leonardo,

can you tell me how you solved your problem with creating salted passwords via PHP?



Hi .... yes i've acchieved some PHP routines for creating the salted SHA256 password with random salt and also comparing a stored hashed password with a plaintext supplied one.

encoded passwords will be exited as:

{SSHA256.HEX}acf5ce0f51cca2077e27884a7cec385c430bb402c2f961b02bfa779c18aaf9a373772d99

encoded password strings is 85-char length with the SSHA.256 prefix and 72 without it


as i'm storing passwords with the SSHA256.HEX prefix, my dovecot conf has:

default_pass_scheme = PLAIN

so i can have any dovecot-supported encoded password on the database as well as plaintext ones



code may not be very beautiful, i do admit that i'm not good on making beautiful codes .... but its working nice in several places :)

http://pastebin.com/fzDGE561


the VerifyHashedPassword routine can receive passwords with the {SSHA256.HEX} string and without as well. That makes easier to just compare database stored passwords as well as the newly generated ones to compare with newly encoded ones based on the plaintext supplied.


    usage is pretty simple .... something like:

$hashedpwd = HashedPassword($plainpwd);
and store $hashedpwd whatever you want to store it


checking the stored password against a supplied password would be something like:

if ( VerifyHashedPassword($hashedpwd,$plainpwd) )
{
      // supplied plaintext password MATCH with supplied hashed password
     do whatever you want if passwords matches
} else {
// supplied plaintext password DO NOT MATCH with supplied hashed password
     do whatever you want if passwords DO NOT match
}



    Hope this helps you :)


--


        Atenciosamente / Sincerily,
        Leonardo Rodrigues
        Solutti Tecnologia
        http://www.solutti.com.br

        Minha armadilha de SPAM, NÃO mandem email
        gertru...@solutti.com.br
        My SPAMTRAP, do not email it




Reply via email to