The crypt() family of functions suffers from a poor name selection. They actually hash the original password and produce a result that is unique for a given password but that, if something similar to an inverse could exist, would return either a very large or an infinite set of potential passwords. These functions fall within what is called a cryptographically-strong hash (or digest)

Neither the DES-based crypt() nor the MD5-based crypt() use a straight application of the respective digest algorythm. Rather, they involve complex transforms that deliberatelly "lose bits" from the supplied plaintext (ie, the password). This adds additional roadblocks to recovering the original password.

The relative superiority of the MD5-based crypt(), stems from the fact that the MD5-based transformation can be applied to passwords of any length. The two common "flavors" of the DES-based crypt() I'm aware of, have limits in the length of the password.

While it is true that certain "vulnerabilities" have been shown into the MD5 algorythm, it is still far away from being cracked. Note that DES has been considered obsolete since long, yet the passwords protected by DES-based crypt() still need to be cracked using brute force. I would expect the same from the MD5-based one.

Here is where using a salt string works best, as this forces the eventual attacker to scan a much larger key space. The salt, tipically a set of random bytes concatenated to the original password and stored in-the-clear along with the hashed password, increase significantly the key space. Thanks to it, the attacker cannot count on building a large set of hashes whose passwords are known; He would have to calculate all of them just for you.

The MD5-based crypt() allows salts of any length.

Hope this helps.

In reply to Re: Re: MD5 password encryption on a no frills script by fokat
in thread MD5 password encryption on a no frills script by Coplan

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.