Re: Storing encryted passwords in MySQL

From 'man 3c crypt' in my gcc installation:

       By taking the lowest 7 bits of each  of  the  first  eight
       characters  of  the  key,  a 56-bit key is obtained.  This
       56-bit key is used to encrypt repeatedly a constant string
       (usually  a string consisting of all zeros).  The returned
       value points to the encrypted password,  a  series  of  13
       printable  ASCII characters (the first two characters rep-
       resent the salt  itself).   The  return  value  points  to
       static data whose content is overwritten by each call.
[download]

You are limited to 8 characters for the password no matter how many input characters are allowed. Also, the output will be exactly 13 characters long.

If you want to allow longer passwords, look at MD5 instead of crypt. Your passwords can be arbitrarily long and the resulting hash will be 32 characters for hex and 22 for base64.

HTH

Comment on Re: Storing encryted passwords in MySQL Download Code

Replies are listed 'Best First'.
Re: Re: Storing encryted passwords in MySQL by spacewarp (Pilgrim) on Jun 06, 2003 at 20:18 UTC
This was the first data I came across, but it doesn't mesh with what I'm seeing on my system. My login password is 10 characters (for my convenience), and the encrypted output seems to be 34 characters, as are several others, thus leading to my question here. Spacewarp `DISCLAIMER:<BR> Use of this advanced computing technology does not imply an endorsemen +t<BR> of Western industrial civilization.<BR>` [download]	[reply] [d/l]
Re: Re: Re: Storing encryted passwords in MySQL by pzbagel (Chaplain) on Jun 06, 2003 at 20:46 UTC
What OS are you running? Newer distributions of Linux typically use MD5 password hashes rather than crypt.	[reply]
Re: Re: Re: Re: Storing encryted passwords in MySQL by waswas-fng (Curate) on Jun 06, 2003 at 21:12 UTC
/etc/shadow (crypt shadow files at least) store 13 chars because the salt that is ues is stored as well as the encrypted password. May I suggest using MD5 digests for the passwords you are storing -- they have two advantages, first they allow long passwords, second crypt has some parts to it that make it easy to brute force (if not completely break it depending on its implementation). `For an example on the /etc/shadow files you may think of it this way: Get actual cripted password salt from shadow: $salt = substr($password_string_from_shadow, 0, 2); $newpass = $salt . crypt($string_i_think_is_password,$salt); $newpass is now a string you can push back to password file...` [download] -Waswas	[reply] [d/l]
Re: Re: Re: Re: Storing encryted passwords in MySQL by spacewarp (Pilgrim) on Jun 06, 2003 at 23:59 UTC
Aha.. that could be it. I'm running Redhat 6.2. Thanks so much for your help. Spacewarp `DISCLAIMER:<BR> Use of this advanced computing technology does not imply an endorsemen +t<BR> of Western industrial civilization.<BR>` [download]	[reply] [d/l]