ISPConfig only supports MD5 passwords.
MD5 passwords are insecure and ISPConfig should really use SHA256 or SHA512 passwords where possible, below is some example code which could easily be used to support multiple password types, It currently can support DES, Extended DES, MD5, Blowfish, SHA256 and SHA512, I've left debug info in and it's based on the password code currently in ISPConfig, It still needs changes to select which hash to use and it would likely be improved by allowing the administrator to select which hash algo to use in the web interface, along with some code to detect when a password using an old hash has been entered and update it on the fly to use the currently selected one (This would allow installations to change from MD5 to SHA??? without causing users to reset their passwords.
$password = 'TemporaryPasswordForTest';
$base64_alphabet='+/0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
if (CRYPT_STD_DES == 1) {
$salt='';
for ($n=0;$n<2;$n++) {
$salt.=$base64_alphabet[mt_rand(0, 63)];
}
$outpass = crypt($password, $salt);
echo 'Standard DES: ' . $outpass . strlen($outpass) . "\n";
}
if (CRYPT_EXT_DES == 1) {
$algorithm="_";
$cost='zz..'; // 4 bytes of iteration count.
$salt=$algorithm . $cost; // . '$';
for ($n=0;$n<4;$n++) {
$salt.=$base64_alphabet[mt_rand(0, 63)];
}
$outpass = crypt($password, $salt);
echo 'Extended DES: ' . $outpass . strlen($outpass) . "\n";
}
if (CRYPT_MD5 == 1) {
$salt="$1$";
for ($n=0;$n<8;$n++) {
$salt.=$base64_alphabet[mt_rand(0, 63)];
}
$salt.="$";
$outpass = crypt($password, $salt);
echo 'MD5: ' . $outpass . " Len: " . strlen($outpass) . "\n";
}
if (CRYPT_BLOWFISH == 1) {
# $2$ (old broken behaviour) $2b$ (new behaviour, same as $2y), $2x$ (old broken behaviour)
if (version_compare(PHP_VERSION, '5.3.7') >= 0)
$algorithm = '2y'; // BCrypt, with fixed unicode problem
// $algorithm = '2b';
else
$algorithm = '2a'; // BCrypt
// $algorithm = '2x';
$cost='08'; // Should be between 04 and 31
$salt='$' . $algorithm . '$' . $cost . '$';
for ($n=0;$n<22;$n++) {
$salt.= str_replace('+', '.', $base64_alphabet[mt_rand(0, 63)]);
}
$outpass = crypt($password, $salt);
echo 'Blowfish: ' . $outpass . " Len: " . strlen($outpass) . "\n";
}
if (CRYPT_SHA256 == 1) {
$algorithm='$5$';
$cost='rounds=5000';
$salt=$algorithm . $cost . '$';
for ($n=0;$n<16;$n++) {
$salt.=$base64_alphabet[mt_rand(0, 63)];
}
$salt.='$';
$outpass = str_replace('rounds=5000$', '', crypt($password, $salt));
echo 'SHA-256: ' . $outpass . " Len: " . strlen($outpass) . "\n";
}
if (CRYPT_SHA512 == 1) {
$algorithm='$6$';
$cost='rounds=5000';
$salt=$algorithm . $cost . '$';
for ($n=0;$n<16;$n++) {
$salt.=$base64_alphabet[mt_rand(0, 63)];
}
$salt.='$';
$outpass = str_replace('rounds=5000$', '', crypt($password, $salt));
echo 'SHA-512: ' . $outpass . " Len: " . strlen($outpass) . "\n";
}