Crypto.Hash for htaccess

Hi, I play with ":CryptoExample.xojo_binary_project in the folder “Framework” of “Example Projects”.
And I try to obtain the same result as on this page :
I enter in the left TextArea :

MyUser1 MyPassword1
MyUser2 MyPassword2

I choose “MD5” and I click the button under the right TextArea “Générer le contenu du fichier htpasswd” = “Generate content of file htpasswd”.
The result is :


In the “Pressed” event of “GenerateButton” of the Xojo project, I removed the EncodeHex() :
ResultArea.Text = EncodeHex(hash)
ResultArea.Text = hash

If I enter “MyPassword1” in the Xojo project and choose MD5, the result is “�’MVR��"�����E�_”.
How to get the result “QRcPnCFU$zac2iljvdiBqtP0ramNJn/”

Use htpasswd or openssl:

Edit: MD5 is not the same as MD5 (APR).

1 Like

Ahh, it is specific to Apache. Then the Xojo algorithm is not the same? There are many MD5 ???

MD5 produces binary data, which is usually encoded in hex for display/editing:

result = EncodeHex(result)

I got the impression from someone that the crypto lib can support these things, we just need to request the algorithms we need.

Would someone make a ticket that provides the things we need to Bcrypt? Or should I just make a ticket for “Please add bcrypt methods to Crypto”? The Module Kem wrote is too slow to use for serious matters, and currently you need plugins as a workaround.

I’m okay with plugins, but it’d be cool to be able to use Bcrypt with the framework if it can already support it. Especially to promote secure password hashing with Web 2.0 apps.

Sorry to derail, it’s sort of related and I’ve been pondering this for a while.

I agree that this should be added natively, but…

We use that module in production code and have for years. When compiled in Aggressive mode, it is around as fast, or even faster than, other implementations I’ve tested.

You’ll have more luck if you are very specific about what you need.

That’s what I was hoping someone else knew. I don’t know the technicals beyond how to do this with M_Crypt, Einhugur, and MBS. I can describe how I want it to work, but not the crypto lib we need.

For my own use, we just use Shell class to run htpasswd command line tool to make a password if needed.

MD5 APR uses a random salt. If you run the same password twice you will get 2 different hashes for the same “password”. You just can’t compare it. There’s a validation algorithm for it. You must provide the MD5 APR hash originated with an unknown salt, the tentative password, and the algorithm will return true/false if it’s a valid hash for such password.

Thank you all. I search how to use the Shell command “htpasswd” and the code below seems to work :

Dim CdeShell as New Shell
Dim TampText as String

CdeShell.Execute "htpasswd -n -b -m " + DataUser.Text + " " + DataPassword.Text
If CdeShell.ExitCode = 0 Then '  -m  (MD5) is the default
  TampText = CdeShell.Result
  TampText = ""
End If

TampText contains the line I need : “MyUserName:MyEncryptPassword” .