Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > more secure crypt() function

Reply
Thread Tools

more secure crypt() function

 
 
Marco Herrn
Guest
Posts: n/a
 
      10-04-2003
I want to use a crypt function to store crypted passwords. These will be
used to verify mail-user access. Now the crypt() function from the
module crypt is only significant for the first 8 characters. But I need
more significant characters.
I found the md5 and sha modules. But they work different from the crypt
module. But it doesn't seem to be compatible. I need the way crypt works
with a salt to verify the password.

So my real question is: What function can be used instead of crypt() to
generate secure crypted passwords that are compatible to the way
crypt() works?

I hope my intention is clear....

Marco

--
Marco Herrn http://www.velocityreviews.com/forums/(E-Mail Removed)
(GnuPG/PGP-signed and crypted mail preferred)
Key ID: 0x94620736

 
Reply With Quote
 
 
 
 
Paul Rubin
Guest
Posts: n/a
 
      10-04-2003
Marco Herrn <(E-Mail Removed)> writes:
> I found the md5 and sha modules. But they work different from the crypt
> module. But it doesn't seem to be compatible. I need the way crypt works
> with a salt to verify the password.
>
> So my real question is: What function can be used instead of crypt() to
> generate secure crypted passwords that are compatible to the way
> crypt() works?
>
> I hope my intention is clear....


No your question isn't clear. If you want your hash function to be
compatible with crypt, you have to use crypt, there's no getting
around it.

If you just mean you want to use salted passwords the way unix
password files do, use can use md5 or sha. Just do something like:

def md5x(str) md5.new(str).hexdigest()[:16]

def hash(password):
salt = <say 4 some random characters>
return = salt + md5x(salt + password)

def verify(password, hashed):
salt, digest = hashed[:4], hashed[4:]
return digest == md5(salt + password)

Note that salting doesn't really protect you from dictionary search
any more. The right way to do password hashing these days is with the
HMAC function (see docs for the hmac module), with a secret key as
well as with a salt. But keeping the key secret creates a nontrivial
administrative problem. I can suggest some ways to deal with it if
you want, that depending on your application, may or may not be more
trouble than they're worth.
 
Reply With Quote
 
 
 
 
Paul Rubin
Guest
Posts: n/a
 
      10-04-2003
Paul Rubin <http://(E-Mail Removed)> writes:
> def md5x(str) md5.new(str).hexdigest()[:16]


Bah.. the above should say

def md5x(str)
return md5.new(str).hexdigest()[:16]

And the following

> def hash(password):
> salt = <say 4 some random characters>
> return = salt + md5x(salt + password)


should say:

def hash(password):
salt = <say 4 some random characters>
return salt + md5x(salt + password)

I think the last one (below) is ok, but note I haven't tested any of them.

> def verify(password, hashed):
> salt, digest = hashed[:4], hashed[4:]
> return digest == md5(salt + password)

 
Reply With Quote
 
Marco Herrn
Guest
Posts: n/a
 
      10-04-2003
On 2003-10-04, Paul Rubin <> wrote:
>> I hope my intention is clear....

>
> No your question isn't clear.


I was afraid this would be the case.

> If you just mean you want to use salted passwords the way unix
> password files do, use can use md5 or sha.


Yes, that was what I wanted.
But it seems that was searching in the wrong direction. What I need the
function for is only the hashing, not the verification against the hash.
Because of that I wanted to be sure that the hashes could be verified
with the same function (that means I wouldn't have to reconfigure exim).
But I was wrong. I can tell exim to use md5() instead of crypt(). So
they are not what I called 'compatible'.
Thanks for your help.


--
Marco Herrn (E-Mail Removed)
(GnuPG/PGP-signed and crypted mail preferred)
Key ID: 0x94620736

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Secure your digital information assets with Secure Auditor. SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:53 AM
Secure your digital information assets with Secure Auditor SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:52 AM
Sharing Session state over secure / non-secure requests Daniel Malcolm ASP .Net 0 01-24-2005 04:45 PM
This page contains both secure and non secure items. A.M ASP .Net 5 06-08-2004 05:43 PM



Advertisments