Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re: Adduser & Crypt

by twerq (Deacon)
on Aug 13, 2002 at 13:00 UTC ( [id://189770]=note: print w/replies, xml ) Need Help??


in reply to Adduser & Crypt

You need to check up on the crypt function.. . .but basically:
# generate a random salt my $salt = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64]; # combine salt with plaintext password my $encrypted_pass = crypt($plaintext_pass, $salt);


--twerq

Replies are listed 'Best First'.
Re: Re: Adduser & Crypt
by no_slogan (Deacon) on Aug 13, 2002 at 16:28 UTC
    It's worth pointing out that your code assumes the old DES-based crypt algorithm, which is highly crackable with modern hardware. A lot of systems are switching to MD5 crypt (which uses special salts that start with "$1$") or eksblowfish ("$2x$"). You might experiment with your particular crypt function and see if it accepts salts of this form.
    > perl -e 'print crypt("foo",q[$1$bar$]), "\n"' $1$bar$gJTJurciWk9pIaPpodyiw. > perl -e 'print crypt("foo",q[$2x$bar$]), "\n"' $2zJyhpjk3l9E
    The output above is from a slackware system. It recognized "$1$bar$" as an MD5 salt, and kept the entire string in its output. However, it interpreted "$2x$bar$" as an old-style DES salt, and only kept the first two characters. If your system accepts both MD5 and DES crypted passwords (like mine), you want to make sure you're using MD5 -- John cracks DES 30 times faster than MD5 on my machine.

    Here's a trick I've seen for generating salts. What do you think?

    $des_salt = substr(crypt(rand(), "aa"), -3, 2); $md5_salt = '$1$' . substr(crypt(rand().rand(), '$1$aaaaaaaa$'), -9, 8 +) . '$';
    This way, you don't need to include the details about crypt's output character set in your code. Why rand().rand()? Some rand implementations have a 32-bit internal state but only output 16 bits of randomness per call. (Notably, Solaris libc and whatever ActiveState for Win32 is built against both do this.)

    Update: Tweak, tweak. Turns out the last byte of the crypted pass doesn't hold a full 6 bits of information, so avoid it. This doesn't make much difference with MD5 (since rand is never going to give you 48 bits of real information anyway), but it's a big hit against a DES-based salt.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://189770]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others scrutinizing the Monastery: (4)
As of 2024-06-14 23:26 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?
    erzuuli‥ 🛈The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.