Start a new topic
Answered

How are MD5 hashes for MagicDirectory generated?

Hello,


I'm playing with MagicDirectory and am looking for some way to automatically create the necessary folder with the username and a hashed password. I already have a true MD5 hash of the desired password, and could (with some effort) get the cleartext password and convert it to anything I need.  In the plugin Advanced tab I do not check the 'random password' option, but have checked the "MD5 hash passwords" option.


I see from the CrushFTP7 log file that MagicDirectory looks for directories in a format similar to username--MD5_ADE5E6 ... where as typical MD5 hash is a 32 character string.


I would be fine with creating a folder name like user--MD5_0cc175b9c0f1b6a831c399e269772661 But that didn't work.


So then how is this 6 character string generated?  Is there something simple I can implement in perl/php/sql to get a compatible string or convert my existing 32-char MD5 stings into something MagicDirectory can use?


If not, is there any other method I can use to take a cleartext password and generate the necessary file format so that I don't code the cleartext password as part of the directory name?


Thanks


Best Answer

The 6 characters is the last 6 characters.  We had to do this because of windows and short limited path names that an only contain 256 characters in total, and people tend to build elaborate dir structures...


This means the MD5 hashed password is less secure (more passwords could match the hash), however since CrushFTP doesn't allow passwords guessing, its negated.


Thanks,

Ben


I figured this out already ... the 6 characters appended to the directory name are the last 6 characters of the 32 character MD5 string converted to uppercase.

Answer

The 6 characters is the last 6 characters.  We had to do this because of windows and short limited path names that an only contain 256 characters in total, and people tend to build elaborate dir structures...


This means the MD5 hashed password is less secure (more passwords could match the hash), however since CrushFTP doesn't allow passwords guessing, its negated.


Thanks,

Ben

Login to post a comment