Re: crypt help

The Crypt docco says:

Traditionally the result is a string of 13 bytes: two first bytes of the salt, followed by 11 bytes from the set ./0-9A-Za-z, and only the first eight bytes of the encrypted string mattered, but alternative hashing schemes (like MD5), higher level security schemes (like C2), and implementations on non-UNIX platforms may produce different strings.

So I would expect test1234 to crypt to the same as test12345 but not test123. Here is some test code showing just that behaviour:

nph>perl -ne'BEGIN{print "Pass: "}; $S="ab"; print crypt($_, $S), "\nP
+ass: "'
Pass: test
abpNYMT5RGuX6
Pass: test1
abW8wbI6pkG9g
Pass: test12
abP627jOqenSg
Pass: test123
abpwNzBDeyy9Y
Pass: test1234
abP/cckPJaUqA
Pass: test12345
abP/cckPJaUqA
Pass: test123456
abP/cckPJaUqA
Pass:
[download]

I used a constant salt just to keep things simple. Are you using Unicode so that 8 bytes is less characters ? I see enyas (sp?) in your code like the one here print $fh "$userñ$pass";

Cheers,
R.

Pereant, qui ante nos nostra dixerunt!

Comment on Re: crypt help Select or Download Code

Replies are listed 'Best First'.
Re^2: crypt help by dave_pl (Sexton) on Apr 05, 2005 at 08:51 UTC
Random_Walk Thanks for the quick reply! i see what you mean with only the first byte matters! that explains a lot! who is enyas? thanks for the asnwer, is there a way that you know of that you can have more than 8 bits? Zaxo, Yes sorry about the way i wrote the syntax i quickly typed it up since the code i am using is in cgi and is really a mess... Thank You	[reply]
Re^3: crypt help by Random_Walk (Prior) on Apr 05, 2005 at 09:15 UTC
Thats 8 bytes not bits ! If you want to use more than the first 8 bytes you will have to use another one way hash or cludge a crypto sub that splits your password into 8 byte chunks and crypts each seperately (Bad Idea). Perhaps MD5 hash would be nice, remember to add some salt to make dictionary attacks more expensive and if you store an MD5 you will have to store the salt as well (MD5 does not put it at the fromt like crypt does). Suppose you could use the MD5 of the user name as a salt, concatenate it with the password then store the MD5 of the result. Here is your code fixed up a bit and altered to use md5 digest with MD5 of user name used as salt. #!/usr/bin/perl use strict; use warnings; use Digest::MD5 ('md5_base64'); sub my_crypt { my ($pass, $user)=@_; my $salt = md5_base64($user); return md5_base64($salt.$pass); } print "user> "; chomp (my $user = <STDIN>); print "pass> "; chomp (my $pass = <STDIN>); my @salt = ('a'..'z', 'A'..'Z'); my $passc = my_crypt($pass, $user); open my $fh, '>>pass.pwd' or die $!; print $fh "$user\t$passc\n"; close($fh); # then i read it and check it like this: print "user> "; chomp ($user = <STDIN>); print "pass> "; chomp ($pass = <STDIN>); open $fh, '<pass.pwd' or die $!; my $matched; while(<$fh>){ next unless /^$user/; ($user, $passc) = split /\s+/, $_; if (my_crypt($pass, $user) eq $passc){ print "Matched\n"; $matched++; last; } } print "No Match\n" unless $matched; __END__ >./passtest user> random pass> test12345678 user> random pass> test12345678 Matched >rm pass.pwd >./passtest user> random pass> test12345678 user> random pass> test1234567 No Match >cat pass.pwd random 6EtC2Kp14XloIR7y4KdOQw [download] WARNING Crypto is famous for subtle bugs. I give no promise that this algorithm is in any way secure but having said that I can see no obvious problems with it. Cheers, R. Pereant, qui ante nos nostra dixerunt!	[reply] [d/l]
Re^4: crypt help by dave_pl (Sexton) on Apr 05, 2005 at 10:06 UTC
Random Walk Thank you for the help i will try the MD5 way you showd me my apologies for the 8bits and not 8bytes! THANKS AGAIN FOR THE WISDOM!!!!	[reply]
Re^4: crypt help by dave_pl (Sexton) on Apr 05, 2005 at 11:04 UTC
Random_Walk Thank you for the help and showing the examples so clearly since i am still learning:) Sorry about the 8bit which should have been 8bytes! THANKS AGAIN FOR THE WISDOM!	[reply]

WARNING