Encrypts a string exactly like the crypt(3) function in the C library (assuming that
you actually have a version there that has not been extirpated as a potential munition).
This can prove useful for checking the password file for lousy passwords, amongst other
things. Only the guys wearing white hats should do this.
Note that crypt is intended to be a one-way function, much like breaking
eggs to make an omelette. There is no (known) corresponding decrypt function (in other
words, the crypt() is a one-way hash function). As a result, this function isn't all that
useful for cryptography. (For that, see your nearby CPAN mirror.)
When verifying an existing encrypted string you should use the encrypted text as the
salt (like crypt($plain, $crypted) eq $crypted). This allows your code to
work with the standard crypt and with more exotic implementations. In other
words, do not assume anything about the returned string itself, or how many bytes in the
encrypted string matter.
Traditionally the result is a string of 13 bytes: two first bytes of the salt, followed
by 11 bytes from the set [./0-9A-Za-z], and only the first eight bytes of the
encrypted string mattered, but alternative hashing schemes (like MD5), higher level
security schemes (like C2), and implementations on non-UNIX platforms may produce
different strings.
When choosing a new salt create a random two character string whose characters come
from the set [./0-9A-Za-z] (like join '', ('.', '/', 0..9, 'A'..'Z',
'a'..'z')[rand 64, rand 64]).
Here's an example that makes sure that whoever runs this program knows their own
password:
$pwd = (getpwuid($<))[1];
system "stty -echo";
print "Password: ";
chomp($word = <STDIN>);
print "\n";
system "stty echo";
if (crypt($word, $pwd) ne $pwd) {
die "Sorry...\n";
} else {
print "ok\n";
}
|
|
Of course, typing in your own password to whoever asks you for it is unwise.
The crypt function
is unsuitable for encrypting large quantities of data, not least of all because you can't
get the information back. Look at the by-module/Crypt and by-module/PGP
directories on your favorite CPAN mirror for a slew of potentially useful modules.
If using crypt() on a Unicode string (which potentially has characters with
codepoints above 255), Perl tries to make sense of the situation by trying to downgrade (a
copy of the string) the string back to an eight-bit byte string before calling crypt() (on
that copy). If that works, good. If not, crypt() dies with Wide character in crypt.
