The library(crypt)
library defines crypt/2
for encrypting and testing passwords. The clib package also provides
crytographic hashes as described in section
12
The library supports two encryption formats: traditional Unix
DES-hashes2On non-Unix systems,
crypt() is provided by the NetBSD library. The license header is added
at the end of this document. and FreeBSD compatible MD5
hashes (all platforms). MD5 hashes start with the magic sequence $1$
,
followed by an up to 8 character salt. DES hashes start with a
2 character
salt. Note that a DES hash considers only the first 8
characters. The MD5 considers the whole string.
Salt and algorithm can be forced by instantiating the start of Encrypted with it. This is typically used to force MD5 hashes:
?- phrase("$1$", E, _), crypt("My password", E), format('~s~n', [E]). $1$qdaDeDZn$ZUxSQEESEHIDCHPNc3fxZ1
Encrypted is always a list of ASCII character codes. Plain only supports ISO-Latin-1 passwords in the current implementation.
Plain is either an atom, SWI-Prolog string, list of characters or list of character-codes. It is not advised to use atoms, as this implies the password will be available from the Prolog heap as a defined atom.
NOTE: crypt/2
provides an interface to the Unix password hashing API. Above we already
introduced support for classical DES and MD5 hashes, both hashes that
are considered insecure by today's standards.3Insecure
means that the password can realistically be derived from the password
hash using a brute-force attack. This implies that leaking the password
database is an immediate security risk. The crypt() API of
modern Unix systems typically support more secure hashes. Using crypt/2
is suitable if compatibility with OS passwords is required. If strong
hashes and platform independence are important to you, use crypto_password_hash/2
provided by library
library(crypto)
from the
ssl package.