password encryption using crypt()

password encryption using crypt()

Post by Wong Ching Kuen Frederic » Tue, 19 Jun 2001 15:18:06



i want to store some sort of passwd in a text file using the crypt function.
however, i find out that the encrypted string is different at each time of
generation. so how could i know the password entered by the user is the same
as that in the database? thanks in advance.

fred

 
 
 

password encryption using crypt()

Post by D. Stimit » Tue, 19 Jun 2001 16:18:20



Quote:

> i want to store some sort of passwd in a text file using the crypt function.
> however, i find out that the encrypted string is different at each time of
> generation. so how could i know the password entered by the user is the same
> as that in the database? thanks in advance.

> fred

The first two characters of the returned encrypted value are the salt.
If you encrypt with the same salt each time, it will work.



 
 
 

password encryption using crypt()

Post by David Efflan » Wed, 20 Jun 2001 09:28:17




>> i want to store some sort of passwd in a text file using the crypt function.
>> however, i find out that the encrypted string is different at each time of
>> generation. so how could i know the password entered by the user is the same
>> as that in the database? thanks in advance.

>> fred

> The first two characters of the returned encrypted value are the salt.
> If you encrypt with the same salt each time, it will work.



But you should really use random 2 character salt (see man crypt for chars
to use) so crypted passwords will be different.  Otherwise it would be too
easy to tell if 2 people used the same password.

To tell if a user supplied plain text password matches a crypted password,
crypt the plain text password using the crypted password as salt and see
if that equals the crypted password.  If you only use just the first 2
characters of the crypted password as salt, the test would fail if your
system uses MD5 passwords.  Using the whole crypted password as salt for
the test works for both DES and longer MD5 passwords.

--
David Efflandt  (Reply-To is valid)  http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/

 
 
 

password encryption using crypt()

Post by D. Stimit » Wed, 20 Jun 2001 11:30:25





> >> i want to store some sort of passwd in a text file using the crypt function.
> >> however, i find out that the encrypted string is different at each time of
> >> generation. so how could i know the password entered by the user is the same
> >> as that in the database? thanks in advance.

> >> fred

> > The first two characters of the returned encrypted value are the salt.
> > If you encrypt with the same salt each time, it will work.


> But you should really use random 2 character salt (see man crypt for chars
> to use) so crypted passwords will be different.  Otherwise it would be too
> easy to tell if 2 people used the same password.

His comparison of an already complete pass is the issue. He can't use
crypt on a plain text pass and have it compare to a stored pass unless
he uses the same salt (he was wondering why each time he re-encrypts it
comes up with something different...that is the salt causing it). Since
he is also creating the pass with crypt, MD5 won't matter.


- Show quoted text -

Quote:

> To tell if a user supplied plain text password matches a crypted password,
> crypt the plain text password using the crypted password as salt and see
> if that equals the crypted password.  If you only use just the first 2
> characters of the crypted password as salt, the test would fail if your
> system uses MD5 passwords.  Using the whole crypted password as salt for
> the test works for both DES and longer MD5 passwords.

> --
> David Efflandt  (Reply-To is valid)  http://www.de-srv.com/
> http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
> http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/

 
 
 

password encryption using crypt()

Post by Bill Unr » Thu, 21 Jun 2001 02:42:41



Quote:>i want to store some sort of passwd in a text file using the crypt function.
>however, i find out that the encrypted string is different at each time of
>generation. so how could i know the password entered by the user is the same
>as that in the database? thanks in advance.

The first three bytes on the output of crypt is the salt. You must pass
crypt those same three bytes back to check the password.
Note that this is the crypt(3) function not the crypt command, which is
a very weak encryption tool.
 
 
 

password encryption using crypt()

Post by D. Stimit » Thu, 21 Jun 2001 09:48:45




> >i want to store some sort of passwd in a text file using the crypt function.
> >however, i find out that the encrypted string is different at each time of
> >generation. so how could i know the password entered by the user is the same
> >as that in the database? thanks in advance.

> The first three bytes on the output of crypt is the salt. You must pass
> crypt those same three bytes back to check the password.
> Note that this is the crypt(3) function not the crypt command, which is
> a very weak encryption tool.

Only 2 bytes for crypt. MD5 sums may confuse things.


 
 
 

password encryption using crypt()

Post by Villy Kru » Tue, 26 Jun 2001 17:06:33


On Tue, 19 Jun 2001 18:48:45 -0600,



>> >i want to store some sort of passwd in a text file using the crypt function.
>> >however, i find out that the encrypted string is different at each time of
>> >generation. so how could i know the password entered by the user is the same
>> >as that in the database? thanks in advance.

>> The first three bytes on the output of crypt is the salt. You must pass
>> crypt those same three bytes back to check the password.
>> Note that this is the crypt(3) function not the crypt command, which is
>> a very weak encryption tool.

>Only 2 bytes for crypt. MD5 sums may confuse things.



Actualy: if the salt starts with the magic $1$ sequence the crypt
function will calculate a md5 crypted pasword using the salt that
follows the second dollar sign up to the third dollar sign.

Villy

 
 
 

1. Better password encryption than crypt(3)?

Hi.. is there a better way to encrypt passwords than using the
crypt(3) library routine? [... wrt 8 character limits ...]  

Would taking the MD4 or MD5 checksum and using that as the encrypted
password be a good replacement?

Any ideas?
Russell
--------------------------------------------------------------

Had you been alive at 3 am on the third of Autumn and switched
on your wireless you would have heard this:

2. Clock slowdown on AIX 4.1.5

3. Using crypt for password checking

4. JAVA/XML Parsing

5. Reusable passwords (was: Re: password hasher (crypt()) replacement)

6. TCP/IP Linux broadcast problems

7. Mixed SHA, MD5 and Crypt Password Authentication

8. Kernel 2.2.11 and TCP_NO_DELAY

9. Apache: How to CRYPT password for .htaccess ?

10. unix crypt() vs. AIX crypt()

11. crypt in C++ just like crypt in c library

12. decrypting a crypt()-password

13. passwd hashing methods Re: unix crypt() vs. AIX crypt()