2
votes

I am comparing PHP's crypt() versus Pythons crypt(). From Reading Python's manual:

http://docs.python.org/2/library/crypt.html

Platforms: Unix

This module implements an interface to the crypt(3) routine, which is a one-way hash function based upon a modified DES algorithm; see the Unix man page for further details. Possible uses include allowing Python scripts to accept typed passwords from the user, or attempting to crack Unix passwords with a dictionary.

Notice that the behavior of this module depends on the actual implementation of the crypt(3) routine in the running system. Therefore, any extensions available on the current implementation will also be available on this module.

crypt.crypt(word, salt) word will usually be a user’s password as typed at a prompt or in a graphical interface. salt is usually a random two-character string which will be used to perturb the DES algorithm in one of 4096 ways. The characters in salt must be in the set [./a-zA-Z0-9]. Returns the hashed password as a string, which will be composed of characters from the same alphabet as the salt (the first two characters represent the salt itself).

And from reading PHP's Crypt:

http://php.net/manual/en/function.crypt.php

CRYPT_SHA512 - SHA-512 hash with a sixteen character salt prefixed with $6$. If the salt string starts with 'rounds=$', the numeric value of N is used to indicate how many times the hashing loop should be executed, much like the cost parameter on Blowfish. The default number of rounds is 5000, there is a minimum of 1000 and a maximum of 999,999,999. Any selection of N outside this range will be truncated to the nearest limit.

To be fair, I am not including Python's third party modules...I wanted to compare PHP crypt() to Python crypt() both stock.

After reading these two and comparing.... It looks like PHP Crypt() using SHA512 and it's maximum of 999,999,999 hashing rounds is far strong/superior than Python's Crypt(). Is this confirmed? Or am I not reading this correctly.

2

2 Answers

3
votes

Note that Python crypto is only a wrapper around crypt (3) call and that the document you mentioned refers to the base POSIX version, available anywhere. Most implementations of crypto have further expanded on that, as the documentation says:

Notice that the behavior of this module depends on the actual implementation of the crypt(3) routine in the running system. Therefore, any extensions available on the current implementation will also be available on this module.

If you look at the glibc version (which is the one used by a vast majority of Linux systems), you will find that all the algorithms listed by the PHP doc have been implemented. Also, have a look to the source code of one crypt module to see that iterations (rounds) parameter is supported.

The PHP doc in your question lists all the algorithms, so either the authors take for granted that it will be installed on a system with a recent glibc, or they managed to emulate missing algorithms on all systems.

2
votes

Python's crypt() is a proxy to the UNIX equivalent which is used for password hashing; where as PHP's is a general encryption service provider; for which Python has the hashlib module