Bug 11201 - crypt()
Summary: crypt()
Status: RESOLVED INVALID
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All Linux
: P5 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-26 20:27 UTC by Dhiraj
Modified: 2018-07-31 11:42 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dhiraj 2018-07-26 20:27:23 UTC 
File:/master/libbb/pw_encrypt.c#L151

Function crypt() is a poor one-way hashing algorithm; since it only accepts passwords of 8 characters or less, and only a two-byte salt, it is excessively vulnerable to dictionary/bruteforce based attacks given today's faster computing equipment.

Use a different algorithm, such as SHA-1, with a larger non-repeating salt.
Comment 1 Denys Vlasenko 2018-07-31 11:42:09 UTC 
What do you think pw_encrypt_sha.c is for?