8.9. Performing Password-Based Authentication with crypt( )
You need to use the standard
crypt( ) function for password-based
The standard Unix
crypt( ) function typically uses
a weak one-way algorithm to perform its encryption, which is usually
also slow and insecure. You should, therefore, use
) only for compatibility reasons.
Despite this limitation, you might want to use
) for compatibility purposes. If so, to encrypt a password,
choose a random salt and call
crypt( ) with the
plaintext password and the chosen salt. To verify a password
crypt( ), encrypt the plaintext
password using the already encrypted password as the salt, then
compare the result with the already encrypted password. If they
match, the password is correct.
What we are doing here isn’t really encrypting a password. Actually, we are creating a password validator. We use the term encryption because it is in common use and is a more concise way to explain the process.
crypt( ) function is normally found in use
only on older Unix systems that still exclusively use the
/etc/passwd file for storing user information.
Modern Unix systems typically use stronger algorithms and alternate
storage methods for user information, such as the Lightweight
Directory Access Protocol (LDAP), Kerberos (see Recipe 8.13), NIS, or
some other type of directory service.
The traditional implementation of
crypt( ) uses
DES (see Recipe 5.2 for a discussion of ...