[Gambas-user] CRYPT function - a little help please?

Adrien Prokopowicz adrien.prokopowicz at ...626...
Fri Aug 25 11:58:28 CEST 2017


Le Fri, 25 Aug 2017 11:32:36 +0200, Benoît Minisini  
<gambas at ...1...> a écrit:

> Le 25/08/2017 à 11:22, Adrien Prokopowicz a écrit :
>>  I would like to put my two cents on this subject (although,
>> disclaimer : I am not a professional in security).
>>  First of all, the documentation of gb.crypt is completely wrong. As  
>> Tobias says, its methods have *nothing* to do with encryption : ...
>
> Not my fault:
>
> $ man crypt
>
> CRYPT(3)
>
> NAME
>         crypt, crypt_r - password and data encryption
> ...

Oh wow, I actually never noticed this. Probably it is because it's a very  
old
function, and no one wanted to update the man page ?

> But you are right. The documentation should be updated with emphasis on  
> hashing
> instead of encryption, and an explanation of the risks.

Yep, I will probably do that when I'm finished with writing the Git guide.

> And SHA-1 and SHA-2 are provided too for better security.

I know they are there, but while they are a little better than MD5, they  
still
are very bad for handling passwords, they are way too quick.

Some functions that are commonly used for password hashing are PBKDF2 or  
bcrypt
(and maybe scrypt too, although I heard it is a bit young). PBKDF2 and  
scrypt
can be provided by OpenSSL, but I think bcrypt is implemented in a separate
library.

-- 
Adrien Prokopowicz




More information about the User mailing list