Topic: Crypter.CheckPassword


Congratulations on the excellent CryptSharp Library. It's simply brilliant.
Now I am a script kiddie at max and I have a certain query.

I recently used this usage in one of my codes (to check if a word matches with the hash):

Crypter.CheckPassword(someWord, "$apr1$***********");

Now my understanding is that Apche APR MD5 uses a timeseed to generate random hashes, how do you still manage to match them using this library?
I will be really thankful for an explanation.


Re: Crypter.CheckPassword

Hi Jishan,

The format of a crypt string is (algorithm) (salt) (crypted password).

When you check a password, the algorithm and salt (the salt is the random part) are combined with the password to generate the crypted password. If the algorithm, salt, and crypted password all match, the password is correct. (As an aside: the salt is not secret -- the randomness is different for every user's password, so that someone can only break one password at a time, instead of all passwords in a database.)

Hope this helps,