Re: how good is 'crypt()'?
- From: tom@xxxxxxxxxxxxxx (Tom Phoenix)
- Date: Tue, 27 Feb 2007 11:48:13 -0800
On 2/27/07, tom arnall <kloro2006@xxxxxxxxx> wrote:
how good is 'crypt()'? it seems that for small differences in the target
string you get duplicate digests.
That's not what it's "good" at. Are you trying to use it for
checksumming or encryption, or something else it wasn't designed to
do?
i get the following results (using
debugger):
DB<1> $f='aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab'
DB<2> $g='aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaac'
DB<3> p crypt($f,'ab')
abBUNZY4cR2mg
DB<4> p crypt($g,'ab')
abBUNZY4cR2m
Yes; those two "passwords" are effectively indistinguishable, as are
infinitely many others. Many password systems impose a limit upon the
meaningful length of passwords; the limit for crypt(2) is eight
characters, I believe.
If you wish to build a new system to do password verification, I'd
recommend building it upon a modern (i.e. strong) cryptographic hash
function, and allowing passphrases longer than eight characters.
Cheers!
--Tom Phoenix
Stonehenge Perl Training
.
- References:
- how good is 'crypt()'?
- From: Tom Arnall
- how good is 'crypt()'?
- Prev by Date: how good is 'crypt()'?
- Next by Date: help with array within another array
- Previous by thread: how good is 'crypt()'?
- Next by thread: Re: how good is 'crypt()'?
- Index(es):
