good chemistry is complicated, and a little bit messy -LW |
|
PerlMonks |
Re: Re: Adduser & Cryptby no_slogan (Deacon) |
on Aug 13, 2002 at 16:28 UTC ( [id://189858]=note: print w/replies, xml ) | Need Help?? |
It's worth pointing out that your code assumes the old DES-based crypt algorithm, which is highly crackable with modern hardware. A lot of systems are switching to MD5 crypt (which uses special salts that start with "$1$") or eksblowfish ("$2x$"). You might experiment with your particular crypt function and see if it accepts salts of this form.
The output above is from a slackware system. It recognized "$1$bar$" as an MD5 salt, and kept the entire string in its output. However, it interpreted "$2x$bar$" as an old-style DES salt, and only kept the first two characters. If your system accepts both MD5 and DES crypted passwords (like mine), you want to make sure you're using MD5 -- John cracks DES 30 times faster than MD5 on my machine. Here's a trick I've seen for generating salts. What do you think? This way, you don't need to include the details about crypt's output character set in your code. Why rand().rand()? Some rand implementations have a 32-bit internal state but only output 16 bits of randomness per call. (Notably, Solaris libc and whatever ActiveState for Win32 is built against both do this.) Update: Tweak, tweak. Turns out the last byte of the crypted pass doesn't hold a full 6 bits of information, so avoid it. This doesn't make much difference with MD5 (since rand is never going to give you 48 bits of real information anyway), but it's a big hit against a DES-based salt.
In Section
Seekers of Perl Wisdom
|
|