All geek questions in one place

Ruby String.crypt Method

What hash algorithm uses the Ruby String.crypt method? When used in combination with salt, is it safe enough to hash passwords?

+4
source share
2 answers

Not

It uses the C crypt() library, which is based on DES. This is a fast cipher. one.

It is not ideal for hashing passwords. The algorithm is reasonable as a cryptosystem, although rather short in key length, which is a problem for passwords. However, he has an even more fundamental weakness: too fast.

Good password hashing features have a somewhat odd encryption requirement: they need algorithms that fundamentally require a lot of complex operations, and not just a few XOR operations and some table queries like DES.

This, incidentally, is almost always a bad idea to flip your own password system. It is better to use existing packages in theory that they are subject to consideration. In order to cook good, you need a certain amount of items.

And finally, you asked the question that our fearless leader here on SO wrote! See: The Dirty Truth About Web Passwords.

1. Note that even if it were implemented in Ruby, speed would still be a problem: it is a fundamentally fast algorithm so that an attacker could use his own implementation to search for keys.

+7
source

Correct me if I'm wrong, but it only uses the first 8 bytes of the string, which means that your passwords using crypt cannot be longer than 8 bytes.

Here is an example in irb

"special special special special special special special special special special special special special special special special special -". Crypts ("1234567890123456123456789012345612345678901234561234567890123456") => "12mJsn4TDq.Gw" "Special -". Crypts ("1234567890123456123456789012345612345678901234561234567890123456") => "12mJsn4TDq.Gw" "Special" .crypt ("123456789012345612345678901234561234567890123456123456010154523236b01523236bjt5238b23b6tb23016233j6b01

+1
source

Source: https://habr.com/ru/post/1394818/

More articles:


All Articles