classification
Title: crypt produces wrong hashes for passwords containing dollar sign
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.8
process
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, m.stoichkovaaa
Priority: normal Keywords:

Created on 2020-11-22 14:23 by m.stoichkovaaa, last changed 2020-11-29 17:49 by eric.smith. This issue is now closed.

Messages (3)
msg381615 - (view) Author: Микаела Стоичкова (m.stoichkovaaa) Date: 2020-11-22 14:23
I am having an issue with crypt library (Lib/crypt.py) when hashing passwords containing dolalr sign ("$") . I am using python 3.8.5 on Linux.  To compare hashed passwords produced by crypt, I used openssl utilities. 

When generating hashes for password without "$", crypt and openssl return the same result.

But when generating hashes for passwords containing $ dollar sign, crypt returns a result different from the result returned by openssl: 

openssl passwd -6 "cash$money"
$6$C0UG33RcHmBVAjQ/$j1Tm2WSaZzDIzVQTgk71z6nY7fiJnaLe6Lxy8DzGystQ1Jive7IuqIUJq5s2F9wdXRpm8jNs7iksV8oHPVKYC0
 
python3 -c 'import crypt; print(crypt.crypt("cash$money","$6$C0UG33RcHmBVAjQ/"))'
$6$C0UG33RcHmBVAjQ/$Tm9aYQq7BsTT/awN6wiUZ6ysamqX9qUVKBV.TjML5udxWqupAB7luv/.KYypZnpQ9eI33R4Lw3O4Jx4NZjTEV/


I did not find a special mention for dollar sign in the documentation. Thanks for your help.
msg381616 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-11-22 14:33
I assume that you called openssl from a shell. You did not use single quotes around in the first example:

$ echo "cash$money"
cash
$ echo 'cash$money'
cash$money
$ openssl passwd -6 -salt 'C0UG33RcHmBVAjQ/' 'cash$money'
$6$C0UG33RcHmBVAjQ/$Tm9aYQq7BsTT/awN6wiUZ6ysamqX9qUVKBV.TjML5udxWqupAB7luv/.KYypZnpQ9eI33R4Lw3O4Jx4NZjTEV/
msg381617 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-11-22 14:37
PS: Don't use crypt or SSHA512 format for passowrd hashing. You should use PBKDF2-HMAC, bcrypt, scrypt, or argon2 instead. SSHA512 is a dated algorithm and considered insecure.
History
Date User Action Args
2020-11-29 17:49:23eric.smithsetstatus: open -> closed
resolution: not a bug
stage: resolved
2020-11-22 14:37:25christian.heimessetmessages: + msg381617
2020-11-22 14:33:57christian.heimessetnosy: + christian.heimes
messages: + msg381616
2020-11-22 14:23:49m.stoichkovaaacreate