No such thing as a small change | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
The "salt" is there to "spice up" the encrypted password, under DES effectively making it 4096 times more difficult to store all possible encrypted versions of a password. Up until recently, this made it impractical to store a decent dictionary encoded 4096 times over, requiring at least an 8GB drive. Now, though, with 160GB drives on the market, you can see how trivial it is to crack passwords.
The "salt" is also important to validate passwords. Without knowledge of the salt, you would have to crack it and this would slow down password validation in a huge way. Now, to check that your guess is correct, you just do: Since the crypt function only uses the "salt" part of the second parameter, ignoring the rest, and since your guess encrypted with the same "salt" should be the same as the real encrypted version, your guess will only be correct if it encrypts the same. Something I would like to point out is that the DES encryption used by default is very, very flimsy. You should use RSA instead, and this is, to the best of my knowledge, very well supported, though I'm sure someone else can provide specifics on a platform by platform basis. RSA uses a much more robust method of encryption, and the salt is much larger. I haven't heard of an RSA password cracking program that works as well as the old DES cracking ones which are now frighteningly efficient. Here's a comparison: Generating eight letters of salt instead of two is really simple. As long as they are formatted correctly, and you don't accidentally interpolate the $'s, that is. In reply to Re: What's the idea of different salts in crypt()?
by tadman
|
|