Mysql – How to verify the password generated by ENCRYPT

MySQL

I use the ENCRYPT function to generate password for my email users.

SELECT ENCRYPT('password', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))

This function will generate a long encrypted string which looks something like this:

$6$103b1e8ad6b6db7d$CyTHP3ooA8N8uWtKmQOZFjRkTss60o3ckb6CPYG01uJqiLjGMFU0y9jtCA13MFtJ3LiPrKv5JVcfRaYg8B7YL0

Now my question is how I can verify the password? What I want to do is I store the encrypted password in the database. And I want my user to be able to modify their password as long as they provide the correct old password. So when the users provide their old passwords, I need to verify whether the old password they provided is correct or not.

Best Answer

When you store a password you have to store encrypt(password,salt) and salt for this user. To check if input from user is the right password you comapre encrypt(input,salt) with the stored encrypted string. Chanck the section about 8.6.2 What Is Salt? in Practical UNIX & Internet Security, by Simson Garfinkel & Gene Spafford from O'Reilly.