Hi all,
I am writing a perl login script for a website, and I have to crypt the
password in order to improve the security. I am using crypt() in perl for
that purpose.
Now, I want to make a page for those people who lost their passwords. And I
want to send them by sendmail. The problem is that I don't know how to
decrypt the crypted password. Anyone can help?

Billy

Which part of the second paragraph of the crypt documentation don't you
understand?

Or even:

perlfaq8: How do I decode encrypted password files?

I guess you're to lazy to read, which is a coincidence since I'm too lazy
to give you the answer too.

--
Sam

Computers in the future may weigh no more than 1.5 tons.
        --Popular Mechanics, 1949

Yeah, forget it.  The crypt() function is one-way.  It means you
cannot reverse it.  Your only option is to generate a new password
(preferably random), and send it to the guy.

  (This is not completely true, of course, you could crack the
crypt()ed password, but since the only certain way for that is
brute-force, I do not consider it to be a good alternative.)

  And this has probably nothing to do with Perl.

Roland.
--
Les francophones m'appellent Roland Mas,
English speakers call me Rowlannd' Mass,
Nihongode hanasu hitoha [Lolando Masu] to iimasu.
Choisissez ! Take your pick ! Erande kudasai !

One workaround could be to have another file that has their email
address encrypted and the password not. When they put in their email
address you simply compare them to the encrypted one and when it finds a
match, bingo.

--

Keith

*****************************************************

        http://www.justanotherwebsite.com

        http://www.powersolution.com

        "I looked up one day and saw, it was up to me.
        Well you can only be a victim if you admit defeat!"
        - From "Coolidge" by The Descendents

Please disregard this post from my fellow countryman.
We here "DownUnder" are not all as bad mannered as he appears to be.

His e-mail address belies his actual IQ.

--
Regards
Luke
PLEASE NOTE: Spamgard (tm) installed.
----
When the only tool you own is a hammer,
all problems begin to resemble nails.
----
http://www.bell-bird.com.au

----

Godd idea ... except when the user changes their e-mail address ... and
subsequently forgets what that was too ...

Some one once said ...
"You can make something fool proof, but you'll never make it _damn_ fool
proof!"

As Roland Mas stated earlier, crypt is one way ... best give them a new
password after verification that the user is infact who they say they
are.

--
Regards
Luke
PLEASE NOTE: Spamgard (tm) installed.
----
When the only tool you own is a hammer,
all problems begin to resemble nails.
----
http://www.bell-bird.com.au

----

If it's a small site with a limited number of users the webmaster could
keep a separate personal file of the passwords on a remote server (or his
home box). I do this on a couple of domains I admin.  In these situations
the basic idea is to keep hackers from breaking into the system and
gaining access to the passwords.  Since I can easily verify the identities
of most of the people who access the system it's not hard to verify
legitimate requests for lost passwords.

On a larger system it would be better to send an authentication request
for a new password to the email address of record.  Then it's up to them
to respond via whatever method the program dictates - email, web
interface, etc., to either create a new password or receive a random
computer generated password.

crypt() was designed so that it can't be unencrypted.   The only method I
know of to try to crack a crypted password is to write a program that
tries all the possibilities.  If you try this make sure you have a fast
processor.  The last time I made the flags I incorporated in the program
indicated that it could take between 3 and 6 months of the program running
24/7 to crack one password.

Glen