How does the crypt function work EXACTLY - I'm trying to create a script and want to know about it. Any info is appeciated
Jun 1, 1999, 1:35 PM
Administrator (9387 posts)
Jun 1, 1999, 1:35 PM
Post #2 of 7
Views: 4349
From perldoc -f crypt we get:
Encrypts a string exactly like the crypt(3) function in
the C library (assuming that you actually have a version
there that has not been extirpated as a potential
munition). This can prove useful for checking the
password file for lousy passwords, amongst other things.
Only the guys wearing white hats should do this.
Note that `crypt()' is intended to be a one-way
function, much like breaking eggs to make an omelette.
There is no (known) corresponding decrypt function. As a
result, this function isn't all that useful for
cryptography. (For that, see your nearby CPAN mirror.)
When verifying an existing encrypted string you should
use the encrypted text as the salt (like `crypt($plain,
$crypted) eq $crypted'). This allows your code to work
with the standard `crypt()' and with more exotic
implementations. When choosing a new salt create a
random two character string whose characters come from
the set `[/0-9A-Za-z]' (like `join '', ('.', '/', 0..9,
'A'..'Z', 'a'..'z')[rand 64, rand 64]').
Here's an example that makes sure that whoever runs this
program knows their own password:
$pwd = (getpwuid($< ))[1];
system "stty -echo";
print "Password: ";
chomp($word = <STDIN> );
print "\n";
system "stty echo";
if (crypt($word, $pwd) ne $pwd) {
die "Sorry...\n";
} else {
print "ok\n";
}
Of course, typing in your own password to whoever asks
you for it is unwise.
Cheers,
Alex
Code:
crypt PLAINTEXT,SALT Encrypts a string exactly like the crypt(3) function in
the C library (assuming that you actually have a version
there that has not been extirpated as a potential
munition). This can prove useful for checking the
password file for lousy passwords, amongst other things.
Only the guys wearing white hats should do this.
Note that `crypt()' is intended to be a one-way
function, much like breaking eggs to make an omelette.
There is no (known) corresponding decrypt function. As a
result, this function isn't all that useful for
cryptography. (For that, see your nearby CPAN mirror.)
When verifying an existing encrypted string you should
use the encrypted text as the salt (like `crypt($plain,
$crypted) eq $crypted'). This allows your code to work
with the standard `crypt()' and with more exotic
implementations. When choosing a new salt create a
random two character string whose characters come from
the set `[/0-9A-Za-z]' (like `join '', ('.', '/', 0..9,
'A'..'Z', 'a'..'z')[rand 64, rand 64]').
Here's an example that makes sure that whoever runs this
program knows their own password:
$pwd = (getpwuid($< ))[1];
system "stty -echo";
print "Password: ";
chomp($word = <STDIN> );
print "\n";
system "stty echo";
if (crypt($word, $pwd) ne $pwd) {
die "Sorry...\n";
} else {
print "ok\n";
}
Of course, typing in your own password to whoever asks
you for it is unwise.
Cheers,
Alex
Jun 1, 1999, 4:08 PM
Enthusiast (760 posts)
Jun 1, 1999, 4:08 PM
Post #4 of 7
Views: 4353
Did you fully read Alex's blurb? To quote:
"There is no (known) corresponding decrypt function."
So in other words, there is no way to return the original password from the encrypted password. Good thing too!
Dan
"There is no (known) corresponding decrypt function."
So in other words, there is no way to return the original password from the encrypted password. Good thing too!
Dan
Jun 1, 1999, 4:24 PM
Enthusiast (760 posts)
Jun 1, 1999, 4:24 PM
Post #7 of 7
Views: 4348
The point in encrypting passwords is for 'security' reasons. For example, if you use password (such as .htaccess) authentication and a hacker discovers your .htpasswd file (or other password file), since the passwords are encrypted, the hacker cannot use them.
As far as authentication I have no idea of the authentication algorithm. But basically, I imagine the server encrypts the password the user submits and then compares that with the logged encrypted password using some algorithm.
Dan
As far as authentication I have no idea of the authentication algorithm. But basically, I imagine the server encrypts the password the user submits and then compares that with the logged encrypted password using some algorithm.
Dan