a password encryption question.

[nightcats]

Hi,

I have a password encryption question that really needs help. I have
two password-related PL files.

Take an example of "test2",
One would creat an encryption that looking like this, "MMehO15WVVavQ"
(Or every password with a MMxxxxxxxx pattern

The other would be looking like this, "ae8FEYefjhNw2"
Or every password with an "aexxxxx" pattern.

The encryption script in the "MM" perl file is this:

$pass = crypt($password, "MM");

The encryption in the second perl (the 'ae' thing) is this:

$test_passwd = crypt($FORM{'password'}, substr($passwd, 0, 2));

------------

My question is, how could I make them created the same version of
encryption, so that the two files can share one set of password?

Thanks a million.

 

[nightcats]

Hi,

I have a password encryption question that really needs help. I have
two password-related PL files.

Take an example of "test2",
One would creat an encryption that looking like this, "MMehO15WVVavQ"
(Or every password with a MMxxxxxxxx pattern

The other would be looking like this, "ae8FEYefjhNw2"
Or every password with an "aexxxxx" pattern.

The encryption script in the "MM" perl file is this:

$pass = crypt($password, "MM");

The encryption in the second perl (the 'ae' thing) is this:

$test_passwd = crypt($FORM{'password'}, substr($passwd, 0, 2));

------------

My question is, how could I make them created the same version of
encryption, so that the two files can share one set of password?

Thanks a million.

OK, I just accidently figure it out myself. All I need to do is
change the "$pass = crypt($password, "MM"); " into "$pass =
crypt($password, "ae"); "

then two of them would be the same.

 

[J. Gleixner]

On 6 9 , 12 34 , (e-mail address removed) wrote: [...]

My question is, how could I make them created the same version of
encryption, so that the two files can share one set of password?

Thanks a million.

OK, I just accidently figure it out myself. All I need to do is
change the "$pass = crypt($password, "MM"); " into "$pass =
crypt($password, "ae"); "

then two of them would be the same.

Setting the salt for crypt is not a terribly good idea. Why do you
care if the salt is 'MM', 'ae', or 'XX'?

perldoc -f crypt

 

[Joe Smith]

One would creat an encryption that looking like this, "MMehO15WVVavQ"
(Or every password with a MMxxxxxxxx pattern

The other would be looking like this, "ae8FEYefjhNw2"
Or every password with an "aexxxxx" pattern.

Those two formats are the same.

The first two characters of the password hash (the "salt")
is supposed to be random. Do not attempt to make them all
the same; that will defeat the purpose of the salt and is
not a good idea.

If you have control over the programs that create those two
password files, you should modify them to use a proper
random salt as documented for the crypt() function.

-Joe

 

[Peter Wyzl]

Hi,

I have a password encryption question that really needs help. I have
two password-related PL files.

Take an example of "test2",
One would creat an encryption that looking like this, "MMehO15WVVavQ"
(Or every password with a MMxxxxxxxx pattern

The other would be looking like this, "ae8FEYefjhNw2"
Or every password with an "aexxxxx" pattern.

The encryption script in the "MM" perl file is this:

$pass = crypt($password, "MM");

This is using MM as the salt to crypt.

The encryption in the second perl (the 'ae' thing) is this:

$test_passwd = crypt($FORM{'password'}, substr($passwd, 0, 2));

This is using the first two characters of $passwd as the salt to crypt.

Make them both do the same thing...

$pass = crypt($password, substr($passwd, 0, 2));

$test_passwd = crypt($FORM{'password'}, substr($passwd, 0, 2));

Read up on the crypt function, perldoc -f crypt

The substr($passwd, 0, 2) portion is taking the first 2 character of the
variable $passwd and using that as the 'salt' to the crypt function.

So for the above to work you need to know what is in the $passwd variable in
the second script, and make sure that is available the same in the first
program.

Another way would be

$pass = crypt($password, "MM");

$test_passwd = crypt($FORM{'password'}, 'MM');

Though using the same salt for all passwords is a huge security hole.

The docs for the crypt function give some advise about selecting a good
salt.

P

 

[nightcats]

This is using MM as the salt to crypt.



This is using the first two characters of $passwd as the salt to crypt.



Make them both do the same thing...

$pass = crypt($password, substr($passwd, 0, 2));

$test_passwd = crypt($FORM{'password'}, substr($passwd, 0, 2));

Read up on the crypt function, perldoc -f crypt

The substr($passwd, 0, 2) portion is taking the first 2 character of the
variable $passwd and using that as the 'salt' to the crypt function.

So for the above to work you need to know what is in the $passwd variable in
the second script, and make sure that is available the same in the first
program.

Another way would be

$pass = crypt($password, "MM");

$test_passwd = crypt($FORM{'password'}, 'MM');

Though using the same salt for all passwords is a huge security hole.

The docs for the crypt function give some advise about selecting a good
salt.

P

Thank you guys for advising.

I decide to change the Salt into random form for security sake.

I made the first script:

$pass = crypt($password, "MM");

change to this:

$pass = crypt($password, substr($password, 0, 2));

However, the first two letters of the encrypted password stays the way
they are.

like, "test1" becomes "teXXXXX", and "wxyz" becomes "wxXXXXX". Only
the letters behind the first two are crypted. Did I do anything
wrong?

Thanks.

 

[nightcats]

This is using MM as the salt to crypt.

This is using the first two characters of $passwd as the salt to crypt.

Make them both do the same thing...

$pass = crypt($password, substr($passwd, 0, 2));

$test_passwd = crypt($FORM{'password'}, substr($passwd, 0, 2));

Read up on the crypt function, perldoc -f crypt

The substr($passwd, 0, 2) portion is taking the first 2 character of the
variable $passwd and using that as the 'salt' to the crypt function.

So for the above to work you need to know what is in the $passwd variable in
the second script, and make sure that is available the same in the first
program.

Another way would be

$pass = crypt($password, "MM");

$test_passwd = crypt($FORM{'password'}, 'MM');

Though using the same salt for all passwords is a huge security hole.

The docs for the crypt function give some advise about selecting a good
salt.

P

Thank you guys for advising.

I decide to change the Salt into random form for security sake.

I made the first script:

$pass = crypt($password, "MM");

change to this:

$pass = crypt($password, substr($password, 0, 2));

However, the first two letters of the encrypted password stays the way
they are.

like, "test1" becomes "teXXXXX", and "wxyz" becomes "wxXXXXX". Only
the letters behind the first two are crypted. Did I do anything
wrong?

Thanks.- -

- -

Hi, once again, I found answers for my previos question

I chang my script to:

@alphabet = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '.', '/');
$salt = join ('', @alphabet[rand (64), rand (64)]);

$password = "$FORM{'password'}";
$pass = crypt($password, $salt);

The ouput was a perfect result of random-crypted password. However, a
new problem was created.

My Login.cgi could not read the ramdom-cryped password.
The related script was,

@alphabet = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '.', '/');
$salt = join ('', @alphabet[rand (64), rand (64)]);

if (crypt($password, $salt) ne $pwordlist{$FORM{'username'}})
{
&error(not_match);
}

How could I make it successfully veryify with the crypted-password?
thanks.

 

[Scott Bryce]

How could I make it successfully veryify with the crypted-password?
thanks.

I think the best answer to your question is not to use crypt, but to use
an MD5 hash, or SHA1 hash.

Digest::MD5 is part of the standard distribution. I don't know if
Digest::SHA1 is.

 

[Peter Wyzl]

Hi, once again, I found answers for my previos question

I chang my script to:

@alphabet = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '.', '/');
$salt = join ('', @alphabet[rand (64), rand (64)]);

$password = "$FORM{'password'}";
$pass = crypt($password, $salt);

The ouput was a perfect result of random-crypted password. However, a
new problem was created.

My Login.cgi could not read the ramdom-cryped password.
The related script was,

@alphabet = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '.', '/');
$salt = join ('', @alphabet[rand (64), rand (64)]);

if (crypt($password, $salt) ne $pwordlist{$FORM{'username'}})
{
&error(not_match);
}

How could I make it successfully veryify with the crypted-password?
thanks.

The crypted 'password' written to disk written to disk is a string, the
first two characters of which is the salt, the balance of which is the
actual password.

So the process is to take the first two characters of the crypted sting from
disk, and use that as a salt to crypt the password entered by the user. You
then compare the resultant string with the entire string stord on disk. If
they match the user entered the correct password.

So from the above, I assume that $passwd contained the stored crypted
password from which we extract the first two characters being the salt.
That is what this line is doing....

$test_passwd = crypt($FORM{'password'}, substr($passwd, 0, 2));

Then if $test_passwd is the same as $passwd, we have a match.

P

 

[Joe Smith]

@alphabet = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '.', '/');
$salt = join ('', @alphabet[rand (64), rand (64)]);

$password = "$FORM{'password'}";
$pass = crypt($password, $salt);

The ouput was a perfect result of random-crypted password.

That is as it should be.

However, a new problem was created.

My Login.cgi could not read the ramdom-cryped password.
The related script was,

@alphabet = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '.', '/');
$salt = join ('', @alphabet[rand (64), rand (64)]);

No. The salt is supposed to be randomized when
the password is originally set; not when it is being compared.

if (crypt($password, $salt) ne $pwordlist{$FORM{'username'}})

$password_on_record = $pwordlist{$FORM{username}};
$salt = substr $password_on_record,0,2;
if (crypt($password,$salt) ne $password_on_record)

-Joe

 

[J. Gleixner]

$pass = crypt($password, substr($password, 0, 2));

Just wanted to point out that no one should ever use parts of
the clear text password as the salt. Why? If someone gets
the encrypted password, then they already have the first two
letters of the clear text password, making it much easier to
crack.

 

[Brad Baxter]

However, a new problem was created.
My Login.cgi could not read the ramdom-cryped password.
The related script was,
@alphabet = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '.', '/');
$salt = join ('', @alphabet[rand (64), rand (64)]);

No. The salt is supposed to be randomized when
the password is originally set; not when it is being compared.

if (crypt($password, $salt) ne $pwordlist{$FORM{'username'}})

$password_on_record = $pwordlist{$FORM{username}};
$salt = substr $password_on_record,0,2;
if (crypt($password,$salt) ne $password_on_record)

FWIW, you don't have to send crypt a substring; it will handle the
full string just fine.

From perldoc -f crypt:

if (crypt($word, $pwd) ne $pwd) {
die "Sorry...\n";
} else {
print "ok\n";
}

 

[Peter Wyzl]

However, a new problem was created.
My Login.cgi could not read the ramdom-cryped password.
The related script was,
@alphabet = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '.', '/');
$salt = join ('', @alphabet[rand (64), rand (64)]);

No. The salt is supposed to be randomized when
the password is originally set; not when it is being compared.

if (crypt($password, $salt) ne $pwordlist{$FORM{'username'}})

$password_on_record = $pwordlist{$FORM{username}};
$salt = substr $password_on_record,0,2;
if (crypt($password,$salt) ne $password_on_record)

FWIW, you don't have to send crypt a substring; it will handle the
full string just fine.

Yes, but the reason to use a substring is when it is a substring being the
first two characters of the stored password, which is the salt.

Hence the difference between $password and $passwd.

P

 

[Peter Makholm]

Yes, but the reason to use a substring is when it is a substring being
the first two characters of the stored password, which is the salt.

Except that modern crypt(3) implements stronger hash functions than
DES. To use these stronger hash values you give some specific forms of
salt, usually defined by '$<hash id>$<salt>$'

If you use "$password eq crypt($given,$password)" perl does the right
thing no matter which hash function the parsword is crypt(3)'ed with.

//Peter Makholm