2

Only the first 8 characters is encrypted when the Perl crypt function is used. Is there a way to get it to use more characters?

As an example: 

$crypted_password = crypt ("PassWord", "SALT");

and 

$crypted_password = crypt ("PassWord123", "SALT");

returns exactly the same result. $crypted_password has exactly the same value.

Would love to use crypt because it is a quick and easy solution to some none reversible encryption but this limit does not make it useful for anything serious.

gpwr
  • 988
  • 1
  • 10
  • 21
  • 3
    The standard DES `crypt(3)` function on unix systems (That perl's `crypt` is a wrapper for) only looks at the first 8 bytes, yes. (Plus the salt is only two characters). If you want better security, you have to use something else. – Shawn Apr 19 '19 at 08:02
  • To give more sources to the comment from Shawn: From `perldoc -f crypt`: *"Creates a digest string exactly like the crypt(3) function in the C library... "*. `man 3 crypt`: *"...By taking the lowest 7 bits of each __of the first eight characters__ of the key..."*. Thus like he said: if you need something more secure don't use `crypt`. – Steffen Ullrich Apr 19 '19 at 08:14
  • 1
    The pessimist in me would say, rather do not include 'crypt' in the modern Perl distributions because people will read the manual entry for 'crypt' and skip the parts about how secure it is. A car that comes out of the factory with only one break pad will probably be a very bad idea. Humans love making mistakes and are notorious for skipping bits or 'miss' important sections of documents that they should have read... My 2 cents. – gpwr Apr 19 '19 at 08:25

1 Answers1

1

To quote from the documentation:

Traditionally the result is a string of 13 bytes: two first bytes of the salt, followed by 11 bytes from the set [./0-9A-Za-z], and only the first eight bytes of PLAINTEXT mattered. But alternative hashing schemes (like MD5), higher level security schemes (like C2), and implementations on non-Unix platforms may produce different strings.

So the exact return value of crypt is system dependent, but it often uses an algorithm that only looks at the first 8 byte of the password. These two things combined make it a poor choice for portable password encryption. If you're using a system with a stronger encryption routine and don't try to check those passwords on incompatible systems, you're fine. But it sounds like you're using an OS with the old crappy DES routine.

So a better option is to use a module off of CPAN that does the encryption in a predictable, more secure way.

Some searching gives a few promising looking options (That I haven't used and can't recommend one over another; I just looked for promising keywords on metacpan):

Shawn
  • 47,241
  • 3
  • 26
  • 60