How do I verify a user's password?
The fundamental problem here is, that various authentication systems
exist, and passwords aren't always what they seem. Also with the
traditional one way encryption method used by most UNIX flavours (out of
the box), the encryption algorithm may differ, some systems use a one
way DES encryption, others like the international release of FreeBSD use
MD5.
The most popular way is to have a one way encryption algorithm, where
the password cannot be decrypted. Instead the password is taken in clear
text from input, and encrypted and checked against the encrypted
password in the database. The details of how to encrypt should really
come from your man page for crypt(), but here's a usual version:
/* given a plaintext password and an encrypted password, check if
* they match; returns 1 if they match, 0 otherwise.
*/
int check_pass(const char *plainpw, const char *cryptpw)
{
return strcmp(crypt(plainpw,cryptpw), cryptpw) == 0;
}
This works because the salt used in encrypting the password is stored as
an initial substring of the encrypted value.
WARNING: on some systems, password encryption is actually done
with a variant of crypt called bigcrypt().
| Home | FAQ |