The output above is from a slackware system. It recognized "$1$bar$" as an MD5 salt, and kept the entire string in its output. However, it interpreted "$2x$bar$" as an old-style DES salt, and only kept the first two characters. If your system accepts both MD5 and DES crypted passwords (like mine), you want to make sure you're using MD5 -- John cracks DES 30 times faster than MD5 on my machine.> perl -e 'print crypt("foo",q[$1$bar$]), "\n"' $1$bar$gJTJurciWk9pIaPpodyiw. > perl -e 'print crypt("foo",q[$2x$bar$]), "\n"' $2zJyhpjk3l9E
Here's a trick I've seen for generating salts. What do you think?
This way, you don't need to include the details about crypt's output character set in your code. Why rand().rand()? Some rand implementations have a 32-bit internal state but only output 16 bits of randomness per call. (Notably, Solaris libc and whatever ActiveState for Win32 is built against both do this.)$des_salt = substr(crypt(rand(), "aa"), -3, 2); $md5_salt = '$1$' . substr(crypt(rand().rand(), '$1$aaaaaaaa$'), -9, 8 +) . '$';
Update: Tweak, tweak. Turns out the last byte of the crypted pass doesn't hold a full 6 bits of information, so avoid it. This doesn't make much difference with MD5 (since rand is never going to give you 48 bits of real information anyway), but it's a big hit against a DES-based salt.
In reply to Re: Re: Adduser & Crypt
by no_slogan
in thread Adduser & Crypt
by jimbobn
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |