more secure crypt() function

Marco Herrn

I want to use a crypt function to store crypted passwords. These will be
used to verify mail-user access. Now the crypt() function from the
module crypt is only significant for the first 8 characters. But I need
more significant characters.
I found the md5 and sha modules. But they work different from the crypt
module. But it doesn't seem to be compatible. I need the way crypt works
with a salt to verify the password.

So my real question is: What function can be used instead of crypt() to
generate secure crypted passwords that are compatible to the way
crypt() works?

I hope my intention is clear....

Marco

--
Marco Herrn he***@gmx.net
(GnuPG/PGP-signed and crypted mail preferred)
Key ID: 0x94620736

Jul 18 '05 #1

Subscribe Reply

5451

Paul Rubin

Marco Herrn <he***@gmx.ne t> writes:

I found the md5 and sha modules. But they work different from the crypt
module. But it doesn't seem to be compatible. I need the way crypt works
with a salt to verify the password.

So my real question is: What function can be used instead of crypt() to
generate secure crypted passwords that are compatible to the way
crypt() works?

I hope my intention is clear....

No your question isn't clear. If you want your hash function to be
compatible with crypt, you have to use crypt, there's no getting
around it.

If you just mean you want to use salted passwords the way unix
password files do, use can use md5 or sha. Just do something like:

def md5x(str) md5.new(str).he xdigest()[:16]

def hash(password):
salt = <say 4 some random characters>
return = salt + md5x(salt + password)

def verify(password , hashed):
salt, digest = hashed[:4], hashed[4:]
return digest == md5(salt + password)

Note that salting doesn't really protect you from dictionary search
any more. The right way to do password hashing these days is with the
HMAC function (see docs for the hmac module), with a secret key as
well as with a salt. But keeping the key secret creates a nontrivial
administrative problem. I can suggest some ways to deal with it if
you want, that depending on your application, may or may not be more
trouble than they're worth.

Jul 18 '05 #2

Paul Rubin

Paul Rubin <http://ph****@NOSPAM.i nvalid> writes:

def md5x(str) md5.new(str).he xdigest()[:16]
Bah.. the above should say

def md5x(str)
return md5.new(str).he xdigest()[:16]

And the following
def hash(password):
salt = <say 4 some random characters>
return = salt + md5x(salt + password)
should say:

def hash(password):
salt = <say 4 some random characters>
return salt + md5x(salt + password)

I think the last one (below) is ok, but note I haven't tested any of them.
def verify(password , hashed):
salt, digest = hashed[:4], hashed[4:]
return digest == md5(salt + password)

Jul 18 '05 #3

Marco Herrn

On 2003-10-04, Paul Rubin <> wrote:

I hope my intention is clear....
No your question isn't clear.

I was afraid this would be the case.
If you just mean you want to use salted passwords the way unix
password files do, use can use md5 or sha.

Yes, that was what I wanted.
But it seems that was searching in the wrong direction. What I need the
function for is only the hashing, not the verification against the hash.
Because of that I wanted to be sure that the hashes could be verified
with the same function (that means I wouldn't have to reconfigure exim).
But I was wrong. I can tell exim to use md5() instead of crypt(). So
they are not what I called 'compatible'.
Thanks for your help.
--
Marco Herrn he***@gmx.net
(GnuPG/PGP-signed and crypted mail preferred)
Key ID: 0x94620736

Jul 18 '05 #4

Similar topics

2699

crypt length

by: Paul Fournier | last post by:

Just wondering, does anyone know if the crypt() function in PHP will always return a 34 character string if not salted? I want to encrypt my user's passwords into a database and I want to make sure I give the right length. I have tried some tests on both windows platform and FreeBSD and it seems to be consistent. -- ::Paul Fournier:: ::Programmer/Analyst:: ::Center for the Digital Arts::

PHP

5666

mysql password() & unix crypt password...

by: aars | last post by:

Hello all, I am creating a user administration system where system administrator can activate services for a user, like webspace, a mail account or a subdomain. I now want to create a function that creates mysql databases and grant the right privileges to a user. But the problem is that mysql wants to have the plaintext password for the user in the "grant ... identified by 'pwd'" field, or in a manual query to update the password in...

MySQL Database

3247

pear’s crypt to php

by: steve | last post by:

Hi, I have a set of passwords encrypted using perl’s crypt, from a perl forum being migrated to php. I like to bring them into php, and use them without changing them. How do I emulate perl’s crypt function. I found a pear module here: http://pear.php.net/package/Crypt_CBC/docs/0.3/Crypt/Crypt_CBC.html but it seems to only take one argument, whereas perl’s crypt should

PHP

5011

crypt equivalent for Win32 platform?

by: Kenjis Kaan | last post by:

I would like to use the crypt function in a Win32 (ie. C program using Visual C++ 6.0 compiler). I wrote a little program to see if it will link but it didn't. So I guess maybe the function isn't implement or implemented in a different naming convention. Could someone please help me or show me another method of doing encryption under Win32? TIA

C / C++

1998

how secure is Querystring authentication using uniqueidentifier

by: Nils N | last post by:

Hi all, Does anyone have a best practice for performring querystring authentication. I am now sending an email with a url to which the user clicks to confirm his or her registration. The url contains a Guid in the querystring, and this is validated agains the user's uniqueidenfier in the sql server database. How secure is the uniqueidentifer, and should I use a md5 encryption with a seed, or DES encryption instead?

ASP.NET

2669

crypt() function

by: Bilge TUTAK | last post by:

Hi All, Is there a function like crypt() of PHP. I want to verify a password using that password. It uses the password hash(from db,AD,or elsewhere) and the password user entered and returns the hash of the original password. Then you can easily compare the hashes from db and crypt() function. Thanx

Visual Basic .NET

3200

crypt with sha1?

by: amygdala | last post by:

Hi, Does anybody now of a custom crypt function that implements sha1? The thing I like about crypt is that I don't have to worry about (re)generating salt when querying the database. Or are there perhaps other functions that implements this same functionality and generates a sha1 hash? Cheers.

PHP

2072

Any way to make this code more compact, and/or be able to change at runtime?

by: Protoman | last post by:

I've written this program that simulates a 36 character, 10 rotor reciprocal rotor cipher, w/ a plugboard. Any way I can make the plugboard function more compact and/or be able to change the mapping at runtime? char Enigma::plugboard(char Char) { if(Char=='A') return '0'; else if(Char=='B')

C / C++

4093

emulate PHP "crypt" function in c#?

by: JamesB | last post by:

Not sure if this is possible, but has anyone seen (or know how to do) emulation of the PHP "crypt" function from within c#? Thanks

C# / C Sharp

8968

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

8787

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...

Windows Server

9473

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

9334

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...

Online Marketing

9259

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

8208

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...

Career Advice

6750

Access Europe - Using VBA to create a class based on a table - Wed 1 May

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...

Microsoft Access / VBA

4569

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...

Networking - Hardware / Configuration

2744

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP