From: nospam.g00r00@f215.n129.z1.fidonet.org   
      
    AG> As mentioned before, I'm working on an API that will read certain   
    AG> aspects of the  data for a client of mine and all I have left to do is   
    AG> to synch up the password  hashes.  Does anyone know what salt was used   
    AG> to create the hashes?  That way I can do an active comparison of   
    AG> passwords and not use unecrypted storage.   
      
   The intention of authentication from external sources was to force people to   
   call Mystic either via a series of REST API calls (one to establish a   
   preliminary session and token ID, and another to authenticate a password), or   
   by running Mystic with the -AUTH command line (which will spit out TRUE/FALSE   
   to STDIO).   
      
   To answer your question though the passwords are a 512-bit PBKDF2 with variable   
   iterations and a randomized salt.  I try not to talk about specifics too much   
   publically because in addition to the PBKDF2 there is also an element of   
   security through obscurity too.   
      
   I go back and forth as to whether or not I should document how to handle the   
   hashes directly for something like what you want to do.  But I would certainly   
   hate for that to be the cause for someone to enable cleartext passwords (which   
   is a feature I have considered removing as well).   
      
   Would the STDIO or REST API work for you as an alternative or is what you are   
   doing designed to work directly with data files only?   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)