- Documentation
- Reference manual
- Packages
- SWI-Prolog C-library
- Introduction
- library(process): Create processes and redirect I/O
- library(filesex): Extended operations on files
- library(uid): User and group management on Unix systems
- library(syslog): Unix syslog interface
- library(socket): Network socket (TCP and UDP) library
- The stream_pool library
- library(uri): Process URIs
- CGI Support library
- Password encryption library
- library(uuid): Universally Unique Identifier (UUID) Library
- SHA* Secure Hash Algorithms
- library(md5): MD5 hashes
- library(hash_stream): Maintain a hash on a stream
- Memory files
- library(time): Time and alarm library
- library(unix): Unix specific operations
- Limiting process resources
- library(udp_broadcast): A UDP broadcast proxy
- library(prolog_stream): A stream with Prolog callbacks
- SWI-Prolog C-library
10 Password encryption library
The library(crypt)
library defines crypt/2
for encrypting and testing passwords. The clib package also provides
crytographic hashes as described in section
12
- crypt(+Plain, ?Encrypted)
- This predicate can be used in three modes. To test whether a password
matches an encrypted version thereof, simply run with both arguments
fully instantiated. To generate a default encrypted version of
Plain, run with unbound Encrypted and this
argument is unified to a list of character codes holding an encrypted
version.
The library supports two encryption formats: traditional Unix DES-hashes2On non-Unix systems, crypt() is provided by the NetBSD library. The license header is added at the end of this document. and FreeBSD compatible MD5 hashes (all platforms). MD5 hashes start with the magic sequence
$1$
, followed by an up to 8 character salt. DES hashes start with a 2 character salt. Note that a DES hash considers only the first 8 characters. The MD5 considers the whole string.Salt and algorithm can be forced by instantiating the start of Encrypted with it. This is typically used to force MD5 hashes:
?- phrase("$1$", E, _), crypt("My password", E), format('~s~n', [E]). $1$qdaDeDZn$ZUxSQEESEHIDCHPNc3fxZ1
Encrypted is always a list of ASCII character codes. Plain only supports ISO-Latin-1 passwords in the current implementation.
Plain is either an atom, SWI-Prolog string, list of characters or list of character-codes. It is not advised to use atoms, as this implies the password will be available from the Prolog heap as a defined atom.
NOTE: crypt/2 provides an interface to the Unix password hashing API. Above we already introduced support for classical DES and MD5 hashes, both hashes that are considered insecure by today's standards.3Insecure means that the password can realistically be derived from the password hash using a brute-force attack. This implies that leaking the password database is an immediate security risk. The crypt() API of modern Unix systems typically support more secure hashes. Using crypt/2 is suitable if compatibility with OS passwords is required. If strong hashes and platform independence are important to you, use crypto_password_hash/2 provided by library
library(crypto)
from the ssl package.