Right. Knowing the salt is half the battle in cracking the password.
In addition to the suggestions of our fellow monks, I can add two more points.
Use a random salt and store the password in such a way where it will be extremely difficult for someone to obtain. Such as a configuration file only readable by the application itself. Some example code follows:
use strict; my $pass; $| = 1; print "password: "; chomp($pass = <STDIN>); print crypt_pass($pass), "\n"; exit; sub crypt_pass { my $p = shift; return unless $p; my $salt = chr(65+rand(27)).chr(65+rand(27)); return crypt($p, $salt); }
Another thing you can do is use the first two characters of the password as the salt, then strip those two characters off before you store it.
use strict; my $pass; $| = 1; print "password: "; chomp($pass = <STDIN>); print crypt_pass($pass), "\n"; exit; sub crypt_pass { my $p = shift; return unless $p; crypt($p, $p) =~ /..(.*)/; my $cpass = $1; return $cpass; }
In reply to Re: What's the idea of different salts in crypt()?
by oneiros
in thread What's the idea of different salts in crypt()?
by jeorgen
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |