By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
448,499 Members | 1,327 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 448,499 IT Pros & Developers. It's quick & easy.

more secure crypt() function

P: n/a
I want to use a crypt function to store crypted passwords. These will be
used to verify mail-user access. Now the crypt() function from the
module crypt is only significant for the first 8 characters. But I need
more significant characters.
I found the md5 and sha modules. But they work different from the crypt
module. But it doesn't seem to be compatible. I need the way crypt works
with a salt to verify the password.

So my real question is: What function can be used instead of crypt() to
generate secure crypted passwords that are compatible to the way
crypt() works?

I hope my intention is clear....

Marco

--
Marco Herrn he***@gmx.net
(GnuPG/PGP-signed and crypted mail preferred)
Key ID: 0x94620736

Jul 18 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
Marco Herrn <he***@gmx.net> writes:
I found the md5 and sha modules. But they work different from the crypt
module. But it doesn't seem to be compatible. I need the way crypt works
with a salt to verify the password.

So my real question is: What function can be used instead of crypt() to
generate secure crypted passwords that are compatible to the way
crypt() works?

I hope my intention is clear....


No your question isn't clear. If you want your hash function to be
compatible with crypt, you have to use crypt, there's no getting
around it.

If you just mean you want to use salted passwords the way unix
password files do, use can use md5 or sha. Just do something like:

def md5x(str) md5.new(str).hexdigest()[:16]

def hash(password):
salt = <say 4 some random characters>
return = salt + md5x(salt + password)

def verify(password, hashed):
salt, digest = hashed[:4], hashed[4:]
return digest == md5(salt + password)

Note that salting doesn't really protect you from dictionary search
any more. The right way to do password hashing these days is with the
HMAC function (see docs for the hmac module), with a secret key as
well as with a salt. But keeping the key secret creates a nontrivial
administrative problem. I can suggest some ways to deal with it if
you want, that depending on your application, may or may not be more
trouble than they're worth.
Jul 18 '05 #2

P: n/a
Paul Rubin <http://ph****@NOSPAM.invalid> writes:
def md5x(str) md5.new(str).hexdigest()[:16]
Bah.. the above should say

def md5x(str)
return md5.new(str).hexdigest()[:16]

And the following
def hash(password):
salt = <say 4 some random characters>
return = salt + md5x(salt + password)
should say:

def hash(password):
salt = <say 4 some random characters>
return salt + md5x(salt + password)

I think the last one (below) is ok, but note I haven't tested any of them.
def verify(password, hashed):
salt, digest = hashed[:4], hashed[4:]
return digest == md5(salt + password)

Jul 18 '05 #3

P: n/a
On 2003-10-04, Paul Rubin <> wrote:
I hope my intention is clear....
No your question isn't clear.


I was afraid this would be the case.
If you just mean you want to use salted passwords the way unix
password files do, use can use md5 or sha.


Yes, that was what I wanted.
But it seems that was searching in the wrong direction. What I need the
function for is only the hashing, not the verification against the hash.
Because of that I wanted to be sure that the hashes could be verified
with the same function (that means I wouldn't have to reconfigure exim).
But I was wrong. I can tell exim to use md5() instead of crypt(). So
they are not what I called 'compatible'.
Thanks for your help.
--
Marco Herrn he***@gmx.net
(GnuPG/PGP-signed and crypted mail preferred)
Key ID: 0x94620736

Jul 18 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.