more secure crypt() function

Discussion in 'Python' started by Marco Herrn, Oct 4, 2003.

  1. Marco Herrn

    Marco Herrn Guest

    I want to use a crypt function to store crypted passwords. These will be
    used to verify mail-user access. Now the crypt() function from the
    module crypt is only significant for the first 8 characters. But I need
    more significant characters.
    I found the md5 and sha modules. But they work different from the crypt
    module. But it doesn't seem to be compatible. I need the way crypt works
    with a salt to verify the password.

    So my real question is: What function can be used instead of crypt() to
    generate secure crypted passwords that are compatible to the way
    crypt() works?

    I hope my intention is clear....

    Marco

    --
    Marco Herrn
    (GnuPG/PGP-signed and crypted mail preferred)
    Key ID: 0x94620736
    Marco Herrn, Oct 4, 2003
    #1
    1. Advertising

  2. Marco Herrn

    Paul Rubin Guest

    Marco Herrn <> writes:
    > I found the md5 and sha modules. But they work different from the crypt
    > module. But it doesn't seem to be compatible. I need the way crypt works
    > with a salt to verify the password.
    >
    > So my real question is: What function can be used instead of crypt() to
    > generate secure crypted passwords that are compatible to the way
    > crypt() works?
    >
    > I hope my intention is clear....


    No your question isn't clear. If you want your hash function to be
    compatible with crypt, you have to use crypt, there's no getting
    around it.

    If you just mean you want to use salted passwords the way unix
    password files do, use can use md5 or sha. Just do something like:

    def md5x(str) md5.new(str).hexdigest()[:16]

    def hash(password):
    salt = <say 4 some random characters>
    return = salt + md5x(salt + password)

    def verify(password, hashed):
    salt, digest = hashed[:4], hashed[4:]
    return digest == md5(salt + password)

    Note that salting doesn't really protect you from dictionary search
    any more. The right way to do password hashing these days is with the
    HMAC function (see docs for the hmac module), with a secret key as
    well as with a salt. But keeping the key secret creates a nontrivial
    administrative problem. I can suggest some ways to deal with it if
    you want, that depending on your application, may or may not be more
    trouble than they're worth.
    Paul Rubin, Oct 4, 2003
    #2
    1. Advertising

  3. Marco Herrn

    Paul Rubin Guest

    Paul Rubin <http://> writes:
    > def md5x(str) md5.new(str).hexdigest()[:16]


    Bah.. the above should say

    def md5x(str)
    return md5.new(str).hexdigest()[:16]

    And the following

    > def hash(password):
    > salt = <say 4 some random characters>
    > return = salt + md5x(salt + password)


    should say:

    def hash(password):
    salt = <say 4 some random characters>
    return salt + md5x(salt + password)

    I think the last one (below) is ok, but note I haven't tested any of them.

    > def verify(password, hashed):
    > salt, digest = hashed[:4], hashed[4:]
    > return digest == md5(salt + password)
    Paul Rubin, Oct 4, 2003
    #3
  4. Marco Herrn

    Marco Herrn Guest

    On 2003-10-04, Paul Rubin <> wrote:
    >> I hope my intention is clear....

    >
    > No your question isn't clear.


    I was afraid this would be the case.

    > If you just mean you want to use salted passwords the way unix
    > password files do, use can use md5 or sha.


    Yes, that was what I wanted.
    But it seems that was searching in the wrong direction. What I need the
    function for is only the hashing, not the verification against the hash.
    Because of that I wanted to be sure that the hashes could be verified
    with the same function (that means I wouldn't have to reconfigure exim).
    But I was wrong. I can tell exim to use md5() instead of crypt(). So
    they are not what I called 'compatible'.
    Thanks for your help.


    --
    Marco Herrn
    (GnuPG/PGP-signed and crypted mail preferred)
    Key ID: 0x94620736
    Marco Herrn, Oct 4, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AdrianK
    Replies:
    0
    Views:
    1,534
    AdrianK
    Jul 9, 2003
  2. luca72

    python glibc crypt() function

    luca72, Apr 20, 2010, in forum: Python
    Replies:
    9
    Views:
    1,338
    geremy condra
    Apr 21, 2010
  3. Cosmia Luna
    Replies:
    4
    Views:
    328
    Cosmia Luna
    Mar 11, 2012
  4. petrucci

    Crypt function

    petrucci, Sep 20, 2005, in forum: Perl Misc
    Replies:
    7
    Views:
    136
    Josef Moellers
    Sep 21, 2005
  5. asg

    de-crypt... crypt

    asg, Dec 23, 2005, in forum: Perl Misc
    Replies:
    3
    Views:
    130
Loading...

Share This Page