Re^2: username/password validation

From what you've told me, I can speculate that your password is 8 characters in length or longer. Crypt will only really take the first 8 characters and encrypt those; any extra characters are essentially lost in the transformation from plaintext to crypt()ed.

12345     =>  123456       |  not equivalent
1234567   =>  12345678     |  not equivalent
12345678  =>  12345678901  |  equivalent


# the actual perl function
crypt($plaintext, $salt);

# is more or less equivalent to this
crypt( substr($plaintext, 0, 8), substr($salt, 0, 2) );
[download]

Comment on Re^2: username/password validation Download Code

Replies are listed 'Best First'.
Re^3: username/password validation by superfrink (Curate) on Dec 20, 2004 at 07:02 UTC
Just to elaborate a bit. Unix has used DES for the crypt() function since at least the 1980s sometime. The DES crypt only depends on the first 8 characters. More recent systems use a MD5 hash for passwords. MD5 as an algorithm will allow arbitrary length passwords. That doesn't mean login code (in say a SSH program) won't have a limit (like 128 or 256 characters). If you move your site to use a database later you should know that the MySQL PASSWORD() function is sometimes used by website's for keeping site member's passwords hidden. When site's used this function for storing passwords the logins broke during the 4.0 to 4.1 upgrade. MySQL AB has documented that the PASSWORD function may change so you should use MD5() or SHA1() for your member login passwords. Use the Digest modules to get access to MD5 and SHA-1 in Perl. Using them is as easy as: `use Digest::MD5 qw(md5_hex); $hashed = md5_hex($passwd);` [download] Then store the username and $hashed wherever you like. Also there has been some talk lately of probablistic attacks on MD5 password hashes which means given a MD5 hash it is not incredibly hard to find a password which will hash to the given hash. You may want to consider using SHA-1 instead. See http://passcracking.com/ and http://en.wikipedia.org/wiki/MD5#Security for more info.	[reply] [d/l]
Re^4: username/password validation by titanic_fanataic (Acolyte) on Dec 21, 2004 at 11:45 UTC
Me again... I just realized that I didn't put in the "use" feature for the module. I added it and it works great... Thanks so much, Titanic_Fanataic	[reply]