Python crypt module

python_noobie picture python_noobie · Feb 10, 2016 · Viewed 13.7k times · Source

I was looking up on python modules, when I found something called 'crypt'. I do not understand. I have tried reading up on this, what is this 'salt' thing, what is the use of this crypt module, and is there some sort of way that I can apply 'crypt' to this piece of python code?:

import crypt

max_attempts = 3     
attempt = 0          

try:


    while attempt < max_attempts:

        uname = input('Username: ')  
        password = input('pass: ')   

        if uname == 'admin' and password == 'Khs9':
            print('Welcome Admin')
            break
        else:
            attempt += 1
            if attempt == max_attempts:
                raise RuntimeError("\nYou've reached the maximum number of attempts allowed.")

            else:
                print('Wrong credentials.\n Try again or press <ctrl+c> to exit.\n')
                continue


except KeyboardInterrupt:
    print('Terminated by the user.\nGood-bye.')

except RuntimeError as e:
    print("Goodbye")

Answer

Guy Gangemi picture Guy Gangemi · Feb 11, 2016

Now that I've seen you code, I know the password is 'Khs9' and I can log into your box.

You could have run the following in private.

>>> crypt.crypt('Khs9', 'aa')
'aa0GPiClW35DQ

Now you update you code as such:

import crypt

max_attempts = 3     
attempt = 0          
stored_pw_hash = 'aa0GPiClW35DQ'

try:


     while attempt < max_attempts:

        uname = input('Username: ')  
        entered_pw_hash = crypt.crypt(input('pass: '), stored_pw_hash)

        if uname == 'admin' and entered_pw_hash == stored_pw_hash:
            print('Welcome Admin')
            break
        else:
            attempt += 1
            if attempt == max_attempts:
                raise RuntimeError("\nYou've reached the maximum number of attempts allowed.")

            else:
                print('Wrong credentials.\n Try again or press <ctrl+c> to exit.\n')
                continue


except KeyboardInterrupt:
    print('Terminated by the user.\nGood-bye.')

except RuntimeError as e:
    print("Goodbye")

Now if your code gets leaked, they don't have access right away. You should have enough time to realise you were hacked and then change your password.

Here's the background info...

crypt.crypt(password) will return the hash of password. You store the hash instead of the clear text password. That way, you can't lose the password to a hacker because you don't have it. Losing a hash is not a big problem because it doesn't guarantee access (if you follow best practice, which includes using a salt).

Next time someone provides a password, you calculate it's hash, compare it to hash you stored from before and if they match, you know they gave you the correct password.

Why do you need to use a salt? Because someone took the long ass time needed to generate a table with commonly used passwords and there hashes. Once done, it's a quick check to crack the hash. By using a salt you ensure that a different lookup table applies, one that probably isn't available and the average hacker doesn't have the time to generate it.

crypt.crypt() needs two chars to use as a salt. You can either pass it a two char string OR use the previous output of the function. (crypt.crypt() returns a string with first two chars being the salt and the rest being the hash)

I looked at https://docs.python.org/3.4/library/crypt.html to answer this.