Issue 42437: crypt produces wrong hashes for passwords containing dollar sign

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/86603

classification

Title:	crypt produces wrong hashes for passwords containing dollar sign
Type:	behavior	Stage:	resolved
Components:	Library (Lib)	Versions:	Python 3.8

process

Status:	closed	Resolution:	not a bug
Dependencies:		Superseder:
Assigned To:		Nosy List:	christian.heimes, m.stoichkovaaa
Priority:	normal	Keywords:

Created on 2020-11-22 14:23 by m.stoichkovaaa, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (3)
msg381615 - (view)	Author: Микаела Стоичкова (m.stoichkovaaa)	Date: 2020-11-22 14:23
I am having an issue with crypt library (Lib/crypt.py) when hashing passwords containing dolalr sign ("$") . I am using python 3.8.5 on Linux. To compare hashed passwords produced by crypt, I used openssl utilities. When generating hashes for password without "$", crypt and openssl return the same result. But when generating hashes for passwords containing $ dollar sign, crypt returns a result different from the result returned by openssl: openssl passwd -6 "cash$money" $6$C0UG33RcHmBVAjQ/$j1Tm2WSaZzDIzVQTgk71z6nY7fiJnaLe6Lxy8DzGystQ1Jive7IuqIUJq5s2F9wdXRpm8jNs7iksV8oHPVKYC0 python3 -c 'import crypt; print(crypt.crypt("cash$money","$6$C0UG33RcHmBVAjQ/"))' $6$C0UG33RcHmBVAjQ/$Tm9aYQq7BsTT/awN6wiUZ6ysamqX9qUVKBV.TjML5udxWqupAB7luv/.KYypZnpQ9eI33R4Lw3O4Jx4NZjTEV/ I did not find a special mention for dollar sign in the documentation. Thanks for your help.
msg381616 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2020-11-22 14:33
I assume that you called openssl from a shell. You did not use single quotes around in the first example: $ echo "cash$money" cash $ echo 'cash$money' cash$money $ openssl passwd -6 -salt 'C0UG33RcHmBVAjQ/' 'cash$money' $6$C0UG33RcHmBVAjQ/$Tm9aYQq7BsTT/awN6wiUZ6ysamqX9qUVKBV.TjML5udxWqupAB7luv/.KYypZnpQ9eI33R4Lw3O4Jx4NZjTEV/
msg381617 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2020-11-22 14:37
PS: Don't use crypt or SSHA512 format for passowrd hashing. You should use PBKDF2-HMAC, bcrypt, scrypt, or argon2 instead. SSHA512 is a dated algorithm and considered insecure.

History
Date	User	Action	Args
2022-04-11 14:59:38	admin	set	github: 86603
2020-11-29 17:49:23	eric.smith	set	status: open -> closed resolution: not a bug stage: resolved
2020-11-22 14:37:25	christian.heimes	set	messages: + msg381617
2020-11-22 14:33:57	christian.heimes	set	nosy: + christian.heimes messages: + msg381616
2020-11-22 14:23:49	m.stoichkovaaa	create