[EP-tech] Re: Password Encryption

Tim Brody tdb2 at ecs.soton.ac.uk
Wed Mar 13 17:21:14 GMT 2013 

EPrints internal authentication uses two methods. Older accounts will
use a Unix salted 'crypt', which is limited to 8 characters.

New accounts use a repeated SHA-with-salt.

You can see which method is being used by inspecting the 'password'
column in the 'user' table. See EPrints::Const 'CRYPT' constants for
what the numerical method value means.

If you want to authenticate against the EPrints database, take a look at
EPrints::Utils::crypt_equals.

/Tim.

On Wed, 2013-03-13 at 09:38 +1000, Mark Gregson wrote:
> Yes but cryptographically that is not the whole picture. It's using a
> random salt (for rainbow and dictionary attacks) and what looks like a
> variant of the 'expensive key schedule' used in EksBlowfish (for brute
> force attacks). I’m sure it could be characterised in greater detail
> but I’m not an expert on these matters!
> 
>  
> 
> Mark
> 
>  
> 
> Mark Gregson | Applications and Development Team Leader
> Library eServices | Queensland University of Technology
> Level 3 | R Block | Kelvin Grove Campus | GPO Box 2434 | Brisbane 4001
> Phone: +61 7 3138 3782 | Web: http://eprints.qut.edu.au/
> ABN: 83 791 724 622
> CRICOS No: 00213J
> 
>  
> 
>  
> 
>  
> 
> -----Original Message-----
> From: eprints-tech-bounces at ecs.soton.ac.uk
> [mailto:eprints-tech-bounces at ecs.soton.ac.uk] On Behalf Of
> Dimitrakakis Georgios
> Sent: Wednesday, 13 March 2013 12:12 AM
> To: eprints-tech at ecs.soton.ac.uk
> Subject: [EP-tech] Re: Password Encryption
> 
>  
> 
> So if I understand correctly it encrypts the passwords using the
> 
> SHA512 algorith, right?
> 
>  
> 
> G.
> 
>  
> 
> > Dimitrakakis Georgios wrote:
> 
> >> Could someone point me to the right place in order to find the way
> in 
> 
> >> which user passwords are encrypted in the database using EPrints?
> 
> > 
> 
> > look at EPrints::Utils::crypt()
> 
> >
> https://github.com/eprints/eprints/blob/master/perl_lib/EPrints/Utils.
> 
> > pm#L953
> 
> > 
> 
> > ciao
> 
> > 
> 
> > --
> 
> > raffaele
> 
> > *** Options: 
> 
> > http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> 
> > *** Archive: http://www.eprints.org/tech.php/
> 
> > *** EPrints community wiki: http://wiki.eprints.org/
> 
> > 
> 
>  
> 
> ----------------------------------------------------------------
> 
> This message was sent using IMP, the Internet Messaging Program.
> 
>  
> 
> *** Options:
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> 
> *** Archive: http://www.eprints.org/tech.php/
> 
> *** EPrints community wiki: http://wiki.eprints.org/
> 
> 
> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> *** Archive: http://www.eprints.org/tech.php/
> *** EPrints community wiki: http://wiki.eprints.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
Url : http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20130313/15c2b0e9/attachment.bin

More information about the Eprints-tech mailing list