8.9. Performing Password-Based Authentication with crypt( )
Problem
You need to use the standard
Unix crypt( ) function for password-based
authentication.
Solution
The standard Unix crypt( ) function typically uses
a weak one-way algorithm to perform its encryption, which is usually
also slow and insecure. You should, therefore, use crypt(
) only for compatibility reasons.
Despite this limitation, you might want to use crypt(
) for compatibility purposes. If so, to encrypt a password,
choose a random salt and call crypt( ) with the
plaintext password and the chosen salt. To verify a password
encrypted with crypt( ), encrypt the plaintext
password using the already encrypted password as the salt, then
compare the result with the already encrypted password. If they
match, the password is correct.
Discussion
Tip
What we are doing here isn’t really encrypting a password. Actually, we are creating a password validator. We use the term encryption because it is in common use and is a more concise way to explain the process.
The crypt( ) function is normally found in use
only on older Unix systems that still exclusively use the
/etc/passwd file for storing user information.
Modern Unix systems typically use stronger algorithms and alternate
storage methods for user information, such as the Lightweight
Directory Access Protocol (LDAP), Kerberos (see Recipe 8.13), NIS, or
some other type of directory service.
The traditional implementation of crypt( ) uses
DES (see Recipe 5.2 for a discussion of ...
Get Secure Programming Cookbook for C and C++ now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
