decrypting a crypt()-password

decrypting a crypt()-password

Post by Patrick Schoenba » Tue, 20 Jul 1999 04:00:00



Hi,

could anyone be so kind, please, and post a little example code showing
how to decrypt a password that has been crypted with crypt() before?

TIA,
Patrick

--
---------------------------------------------------------------------------

                  URL: http://www.geocities.com/Vienna/5357/

     Fingerprint: 3C FB B0 A7 E2 C2 3B 2D  68 6C 66 7E B7 D5 C2 70
---------------------------------------------------------------------------

 
 
 

decrypting a crypt()-password

Post by Marcus Sundber » Tue, 20 Jul 1999 04:00:00



> Hi,

> could anyone be so kind, please, and post a little example code showing
> how to decrypt a password that has been crypted with crypt() before?

Don't you think crypt() would be pretty damn useless for passwords
if it was possible to decrypt the string?
The only way to "decrypt" it is to encrypt all possible character
combinations and compare it with the original crypted string until
you have a match.

//Marcus        
--
-------------------------------+------------------------------------
        Marcus Sundberg        | http://www.stacken.kth.se/~mackan/
 Royal Institute of Technology |       Phone: +46 707 295404


 
 
 

decrypting a crypt()-password

Post by Patrick Schoenba » Tue, 20 Jul 1999 04:00:00


On Mon, 19 Jul 1999 15:07:56 +0200,



>> Hi,

>> could anyone be so kind, please, and post a little example code showing
>> how to decrypt a password that has been crypted with crypt() before?

>Don't you think crypt() would be pretty damn useless for passwords
>if it was possible to decrypt the string?
>The only way to "decrypt" it is to encrypt all possible character
>combinations and compare it with the original crypted string until
>you have a match.

Ok, agreed. But how can I solve the following problem: I want to write a
mail biff that can handle the IMAP protocol, and I want to store the
account data in a config file in the home directory. The password has to
be submitted in plaintext to the IMAP daemon, but I do not like storing
the password in plaintext in the config file. So, what could I do?

Best regards,
Patrick

--
---------------------------------------------------------------------------

                  URL: http://www.geocities.com/Vienna/5357/

     Fingerprint: 3C FB B0 A7 E2 C2 3B 2D  68 6C 66 7E B7 D5 C2 70
---------------------------------------------------------------------------

 
 
 

decrypting a crypt()-password

Post by Kaz Kylhe » Tue, 20 Jul 1999 04:00:00


On Mon, 19 Jul 1999 14:32:27 +0200, Patrick Schoenbach


>Hi,

>could anyone be so kind, please, and post a little example code showing
>how to decrypt a password that has been crypted with crypt() before?

This is a question for comp.unix.programmer, or maybe sci.crypt.

But I will save you the trouble.  You are working under the misconception that
crypt() is an encryption function. It is actually a hashing function based on
cryptography, rather than an encryption function. Hashing functions are
one-way; their computation can't be reversed. The security of passwords depends
on this. So what you are asking for cannot possibly be done.

If the hash could be reversed, then cracking password files would be as simple
as reversing the hashes---rather than the laborious, brute-force activity of of
guessing passwords by permuting words from extensive dictionaries. System
security would then rest on the attacker's inability to gain access to the
contents of the password file, in which case you might as well keep the
passwords in plain text.

 
 
 

decrypting a crypt()-password

Post by Kaz Kylhe » Tue, 20 Jul 1999 04:00:00


On Mon, 19 Jul 1999 15:07:56 +0200, Marcus Sundberg



>> Hi,

>> could anyone be so kind, please, and post a little example code showing
>> how to decrypt a password that has been crypted with crypt() before?

>Don't you think crypt() would be pretty damn useless for passwords
>if it was possible to decrypt the string?

Obviously not too useless for, say, Microsoft to use it. :)
 
 
 

decrypting a crypt()-password

Post by Kaz Kylhe » Tue, 20 Jul 1999 04:00:00


On Mon, 19 Jul 1999 15:28:17 +0200, Patrick Schoenbach


>>Don't you think crypt() would be pretty damn useless for passwords
>>if it was possible to decrypt the string?
>>The only way to "decrypt" it is to encrypt all possible character
>>combinations and compare it with the original crypted string until
>>you have a match.

>Ok, agreed. But how can I solve the following problem: I want to write a
>mail biff that can handle the IMAP protocol, and I want to store the
>account data in a config file in the home directory. The password has to
>be submitted in plaintext to the IMAP daemon, but I do not like storing
>the password in plaintext in the config file. So, what could I do?

You are screwed, because the poor security of IMAP is a weak link in
the security. You say you don't like storing a plaintext password in
the file, but what about the fact that it is transmitted to IMAP
in plain text? A password is more likely to be stolen from the network
wire than from a protected file.

About all you can do is store the password in a file that is owned by the user
who is running the biff-like program, and is properly secured.

This is what fetchmail does. Passwords to POP or IMAP accounts
are stored in plaintext in a file called .fetchmailrc in the user's
home directory. This file is given 0600 permissions.

Speaking of which, are you sure you couldn't use fetchmail for what you are
trying to do and save yourself the hassle of reinventing the wheel? fetchmail
can poll remote mail accounts, and bring the mail down to the local account.
The ordinary mail notification mechanisms can then kick in.

Another thing you can do is ask for the password when your biff-like program is
run, and then retain it in memory. The user would have to do this each time he
or she wants to run the program, but at least the password wouldn't be in a
file. Fetchmail can do this too; you aren't required to store passwords in the
.fetchmailrc.

 
 
 

decrypting a crypt()-password

Post by Frank v Waver » Tue, 20 Jul 1999 04:00:00




> On Mon, 19 Jul 1999 15:07:56 +0200,


>>> Hi,

>>> could anyone be so kind, please, and post a little example code showing
>>> how to decrypt a password that has been crypted with crypt() before?

>>Don't you think crypt() would be pretty damn useless for passwords
>>if it was possible to decrypt the string?
>>The only way to "decrypt" it is to encrypt all possible character
>>combinations and compare it with the original crypted string until
>>you have a match.

> Ok, agreed. But how can I solve the following problem: I want to write a
> mail biff that can handle the IMAP protocol, and I want to store the
> account data in a config file in the home directory. The password has to
> be submitted in plaintext to the IMAP daemon, but I do not like storing
> the password in plaintext in the config file. So, what could I do?

Stor the crypt() value of the password in the config, and when someone
tries to authenticate themselves, just hash their password with crypt()
and compare the values. If they're equal, it's the correct pw.
--

                        Frank v Waveren

                        ICQ# 10074100

 
 
 

decrypting a crypt()-password

Post by Kaz Kylhe » Tue, 20 Jul 1999 04:00:00





>> Ok, agreed. But how can I solve the following problem: I want to write a
>> mail biff that can handle the IMAP protocol, and I want to store the
>> account data in a config file in the home directory. The password has to
>> be submitted in plaintext to the IMAP daemon, but I do not like storing
>> the password in plaintext in the config file. So, what could I do?

>Stor the crypt() value of the password in the config, and when someone
>tries to authenticate themselves, just hash their password with crypt()
>and compare the values. If they're equal, it's the correct pw.

This is not possible because his ``biff-like'' program needs to authenticate
with an IMAP server. For this, a plaintext password is required.  So this
program needs to know the plain-text password; it can either prompt when it
needs it, or it needs to recover it from a file somewhere.
 
 
 

decrypting a crypt()-password

Post by Frank v Waver » Tue, 20 Jul 1999 04:00:00




[snip wrong solution]

Oh, I get the idea now.... Ignore my last post.
--

                        Frank v Waveren

                        ICQ# 10074100