I would try to generate crypt passwords for everybody, you can crypt the ones
that aren't (the other way back would be difficult...).
And I think having all passwords crypted will be more serious...
A Dimarts 31 Maig 2005 17:07, Tony Finch va escriure:
> On Tue, 31 May 2005, Gall Anonim wrote:
> > I have such problem, that i need to authenticate my users from mysql
> > database, some of them have password stored in plaintext. Others have
> > crypted. Now I need to autenticate them all, and i cant separate with
> > usernames. I need to migrate service and it have to be done
> > transparently.
>
> Try a plaintext match and if that fails try a crypt match? Horribly
> insecure (it makes crypted passwords equivalent to plaintext passwords
> because you can type in your crypted password to authenticate yourself)
> but it will allow you to migrate to all-crypted, at which point you can
> turn off the plaintext matching. If you're using a modern crypt() you can
> improve the security by checking the format of the stored password and
> not allowing plaintext matches for passowrds that appear to be crypted.
>
> Tony.
> --
> <fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
> N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
> \N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
--
Agustí Rivero
xarxes@???
Telf. 902 36 14 84
Ilimit Comunicacions
