Which hash algorithm does Ruby’s String.crypt method use? When used in conjunction with a salt, is this secure enough for hashing passwords?
Which hash algorithm does Ruby’s String.crypt method use? When used in conjunction with a
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Which hash algorithm does Ruby’s String.crypt method use? When used in conjunction with a salt, is this secure enough for hashing passwords?
No
It uses the C library
crypt()which is based on DES. This is a fast cipher.1.It’s not ideal for hashing passwords. The algorithm is reasonable as a cryptosystem although rather short on key length which is a problem for passwords. However, it has an even more fundamental weakness: it’s too fast.
Good password hashing functions have a somewhat odd cipher requirement: they need algorithms that fundamentally require many complex operations, not just a handful of XOR ops and some table lookups like DES does.
It is, btw, almost always a bad idea to roll your own password system. It’s better to use existing packages on the theory that these have been subject to review. It requires a certain amount of subject matter expertise to cook up a good one.
And finally, you have asked a question that our fearless leader here on SO has written about! See: The Dirty Truth About Web Passwords.
1. Note that even if it were implemented in Ruby the speed would still be a problem: it’s fundamentally a fast algorithm so an attacker could use his own implementation for key searching.