| Openwall Project | /home Owl JtR Pro crypt pam_passwdqc tcb phpass scanlogd popa3d msulogin / Linux BIND / advisories presentations / services donations / wordlists passwords / news community lists wiki CVSweb mirrors signatures | |
| bringing security into open environments | ||
|
Please note that password hashing is often wrongly referred to as "password encryption". Hashing is a more appropriate term since encryption is something that is supposed to be easily reversible.
This is an implementation of a modern password hashing algorithm, based on the Blowfish block cipher, provided via the crypt(3) and a reentrant interface. It is compatible with bcrypt (version 2a) by Niels Provos and David Mazieres, as used in OpenBSD. A paper on the algorithm that explains its design decisions is available here.
The most important property of bcrypt (and thus crypt_blowfish) is that it is adaptable to future processor performance improvements, allowing you to arbitrarily increase the processing cost of checking a password while still maintaining compatibility with your older password hashes. Already now bcrypt hashes you would use are several orders of magnitude stronger than traditional Unix DES-based or FreeBSD-style MD5-based hashes.
Today, a number of other operating systems, besides OpenBSD, support bcrypt password hashes, with Niels' original implementation, with this implementation (crypt_blowfish), or otherwise. These systems include recent versions of FreeBSD and NetBSD, Solaris 10, and indeed the Linux distributions that have integrated crypt_blowfish (see below for a list). Only some of these systems use bcrypt for newly set passwords by default, though.
This code comes from John the Ripper password cracker, and is placed in the public domain to let you use this on your system, as a part of a software package, or anywhere else to improve security, ensure compatibility, or for any other purpose. There's no license to worry about, not even a BSD-style copyright.
You can use the provided routines in your own packages or link them into a C library. Hooks for linking into GNU libc are provided. Note that simply adding this code into your libc is probably not enough to make your system use the new password hashing algorithm. Changes to passwd(1), PAM modules, or whatever else your system uses will likely be needed as well. These are not a part of this package, but there's pam_tcb in the Openwall GNU/*/Linux (Owl) tcb package which uses the password hashing framework provided by crypt_blowfish, and there are the Owl shadow suite patches (in particular, the crypt_gensalt patch) available from our CVSweb server.
You may also want to check out our portable PHP password hashing framework for use in your PHP applications.
Download:
These files are also available via FTP.
Follow this link for information on verifying the signatures.
We may help you integrate crypt_blowfish into your software or OS installs, please check out our services.
Contributed crypt_blowfish resources:
crypt_blowfish is fully integrated into Owl, distributions by ALT Linux team, and Annvix as the default password hashing scheme. It is a part of the glibc package on SUSE Linux and ASPLinux.
Additionally, crypt_blowfish is used in PHP 5.3.0+, in the Suhosin security hardening patch for older versions of PHP, in Crypt::Eksblowfish Perl module, in PostgreSQL's contrib/pgcrypto providing bcrypt support for crypt() and gen_salt() SQL functions, and in CommuniGate Pro messaging server starting with version 4.1 (but you need to explicitly configure CGP to use "UB-crpt" "password encryption" in order to have it produce bcrypt hashes for new passwords).
Support further work on this software with donations.
| Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux |
281830 |