Check out the new USENIX Web site. next up previous
Next: MD5 crypt Up: Comparison Previous: Comparison

Traditional crypt

Traditional crypt(3)'s design rationale dates back to 1976 [9]. It uses a password of up to eight characters as a key for DES [10]. The 56-bit DES key is formed by combining the low-order 7 bits of each character in the password. If the password is shorter than 8 characters, it is padded with zero bits on the right.

A 12-bit salt is used to perturb the DES algorithm, so that the same password plaintext can produce 4,096 possible password encryptions. A modification to the DES algorithm, swapping bits i and i+24 in the DES E-Box output when bit i is set in the salt, achieves this while also making DES encryption hardware useless for password guessing.

The 64-bit constant ``'' is encrypted 25 times with the DES key. The final output is the 12-bit salt concatenated with the encrypted 64-bit value. The resulting 76-bit value is recoded into 13 printable ASCII characters.

At the time traditional crypt was conceived, it was fast enough for authentication but too costly for password guessing to be practical. Today, we are aware that it exhibits three serious limitations: the restricted password space, the small salt space, and the constant execution cost. In contrast, bcrypt allows for longer passwords, has salts large enough to be unique over all time, and has adaptable cost. These limitiations therefore do not apply to bcrypt.

next up previous
Next: MD5 crypt Up: Comparison Previous: Comparison
Niels Provos and David Mazieres