Knowledgebase
How to test a password crypt
If you have a password crypt and are not sure if it's correct, and wish to test it manually, you can do so with php.
The way I do it is to type "php" and type in the script via stdinput (keyboard) and press ctrl-d to execute it, but if you're not comfortable, you can add the script to a file and pass the file to php (either via the shell or apache).
Assumptions:
1) the password in this example is
2) the salt for this crypt is (MD5)
I'll show the example in 2 steps, to show you first how the crypt is made, then how it's checked (they're essentially the same, with slight differences). The bold text is the output generated by the script.
To generate a crypt for the password using the salt:
To verify if the password you're using is correct for this crypt, we repeat the similar code, passing the entire crypt (which gives the crypt() function the salt we're looking for, since the salt is part of the crypt, if you'll notice. If the output of the crypt() funciton matches the stored crypt, then the password is correct. If it does not match, you've got a wrong password.
***NOTE*** it's very important to use single 'quotes' and *not* double "quotes" with the salt in the crypt() function. This is because in php, with double "quotes", the salt would be treated as empty variables.. since $xx is a variable in php. So with single 'quotes', the salt is treated exactly as you type it. With double "quotes", the salt is treated as 3 variables: $1, $asdf1234, and $whateverelse, which would basically give you an empty salt since chances are these are not filled with anything.
The way I do it is to type "php" and type in the script via stdinput (keyboard) and press ctrl-d to execute it, but if you're not comfortable, you can add the script to a file and pass the file to php (either via the shell or apache).
Assumptions:
1) the password in this example is
2) the salt for this crypt is (MD5)
I'll show the example in 2 steps, to show you first how the crypt is made, then how it's checked (they're essentially the same, with slight differences). The bold text is the output generated by the script.
To generate a crypt for the password using the salt:
echo crypt('password1234','$1$asdf1234$');
?>
To verify if the password you're using is correct for this crypt, we repeat the similar code, passing the entire crypt (which gives the crypt() function the salt we're looking for, since the salt is part of the crypt, if you'll notice. If the output of the crypt() funciton matches the stored crypt, then the password is correct. If it does not match, you've got a wrong password.
echo crypt('password1234','$1$asdf1234$7amUjHHdQx2N3dPJsKgUg0');
?>
$1$asdf1234$7amUjHHdQx2N3dPJsKgUg0
***NOTE*** it's very important to use single 'quotes' and *not* double "quotes" with the salt in the crypt() function. This is because in php, with double "quotes", the salt would be treated as empty variables.. since $xx is a variable in php. So with single 'quotes', the salt is treated exactly as you type it. With double "quotes", the salt is treated as 3 variables: $1, $asdf1234, and $whateverelse, which would basically give you an empty salt since chances are these are not filled with anything.