In pjsip’s realtime ps_auths table, i want to programmatically store passwords as as md5.
My plan is to get the password in plaintext, encrypt it using md5. If the users uses a plain password on a softphone it should be able to authenticate.
Is it a good approach?
If you did it 8192 times, like WordPress does, it might be halfway acceptable. But there are still better approaches.
Ok so, I have tried to encyrpt using md5, then store the password in the md5_secret field in my database and now my softphone is failing to authenticate.
Note: the passsword field is now blank, I am using the md5_secret field
It’s not a good idea. I’m not even clear what you are proposing. SIP phones, by default use hashes, but those hashes depend on information sent by the server, so what goes over the wire differs over time. Part of doing that requires that you are able to calculate the expected hash in the server, which you can only do with the plain text password, or, more precisely, by storing the exact value that goes into the calculation at the client end, as both could be hashes of what the the user enters. In terms of password file compromise, that gives no advantage over plain text, except possibly it is more difficult for someone to remember from a chance exposure.
Thank you i solved the problem by converting a plain text password into hash using md5 in my code then stored i stored the hashed password in the md5_creds field instead of the password field in my database, then changed the auth_type field value from userpass to md5. My users are now able to authenticate using their password in the softphone.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.