understand crypt

sri0529 has asked for the wisdom of the Perl Monks concerning the following question:

use strict;
use warnings;

my $pw = '6yJi';
my $salt = 'uppu';
my $encpw = crypt $pw, $salt;
print $encpw. "\n";

print "Your password: " ;
chomp (my $readpw = <STDIN>);
if($encpw eq crypt ($readpw, $encpw)) { ================> even if $enc
+pw is replaced with $salt it works, both work.
    print "Password OK\n";
}else {
    print "Password NOT OK\n";
}
[download]

Question: Original crypt used salt value: "uppu" During password comparision: using originally encripted password, instead of same salt "uppu". This program works either way, negating the use of salt to make it unique. How is this working. Pls clarify.

Comment on understand crypt Download Code

Replies are listed 'Best First'.
Re: understand crypt by holli (Abbot) on May 29, 2019 at 22:51 UTC
As LanX says, just to clarify: `D:\>perl -e "print crypt('foo', 'bar');" ba4TuD1iozTxw # note the hash starts with +ba D:\>perl -e "print crypt('foo', 'ba');" # same as above ba4TuD1iozTxw D:\>perl -e "print crypt('foo', 'b4r');" # and this one starts with b +4 b4aMdyw.oyhyI D:\>perl -e "print crypt('foo', 'b4');" # and this one starts with b +4 b4aMdyw.oyhyI` [download] Hence feeding a crypted value as salt into `crypt` is eqivalent to using the original salt. holli You can lead your users to water, but alas, you cannot drown them.	[reply] [d/l] [select]
Re: understand crypt by LanX (Saint) on May 29, 2019 at 22:26 UTC
> even if $encpw is replaced with $salt it works, both work. IIRC only the first 2 bytes of a salt are relevant, and crypt creates a 13 bytes string including the original salt in the first 2 characters. See crypt Cheers Rolf _{(addicted to the Perl Programming Language :) Wikisyntax for the Monastery FootballPerl is like chess, only without the dice}	[reply]
Re: understand crypt by afoken (Chancellor) on May 31, 2019 at 14:50 UTC
By the way: Did you know that `crypt` depends on OS, OS version, and perhaps on OS configuration? Perl's crypt is just a thin wrapper around crypt(3) in the libc. The libc is free to choose ANY algorithm. So `crypt("AAA","BBB")` running on one system may return something completely different when running on some other system. It may even choose to completely ignore the salt parameter. And to make things even more complicated: On some systems, crypt() is either not implemented at all (like Android) or it depends on how perl was compiled (Windows). Further information: Re: Crypt() usage Re^2: replacing password in a file Re: JAPH does the splits http://pubs.opengroup.org/onlinepubs/9699919799/functions/crypt.html perlport Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply] [d/l] [select]
Re^2: understand crypt by holli (Abbot) on May 31, 2019 at 15:13 UTC
A nice overview about current hashing algorithms: Passwords should be hashed with either PBKDF2, bcrypt or scrypt, MD-5 and SHA-3 should never be used for password hashing and SHA-1/2(password+salt) are a big no-no as well. Currently the most vetted hashing algorithm providing most security is bcrypt. Digest::Bcrypt holli You can lead your users to water, but alas, you cannot drown them.	[reply]
Re^3: understand crypt by Your Mother (Archbishop) on May 31, 2019 at 20:42 UTC
That reads as good advice but it's from 2013 and security info that isn't extremely current should taken with a grain of salt, as it were. Note from Digest::Bcrypt’s POD: While maintenance for Digest::Bcrypt will continue, there's no reason to use Digest::Bcrypt when Crypt::Eksblowfish::Bcrypt already exists. We suggest that you use Crypt::Eksblowfish::Bcrypt instead.	[reply]