Skip to content

ssl — create unverified context

Reversible One Way Hash in crypt Module

The Python module crypt provides a number of functions for password hashing. However, some of the hashing functions supported by crypt are weak and should not be used. These weak hashing functions include CRYPT and MD5.

The CRYPT hashing function is a weak hashing function because it is based on a simple DES algorithm. This algorithm is relatively easy to crack, and passwords hashed with crypt can be easily recovered by attackers.

The MD5 hashing function is also a weak hashing function. MD5 is a cryptographic hash function that was designed in the early 1990s. MD5 is no longer considered secure, and passwords hashed with MD5 can be easily cracked by attackers.

If using the crypt module, it is recommended to use more secure methods such as SHA256 and SHA512.

Examples

crypt_crypt_method_md5.py
1
2
3
4
import crypt


crypt.crypt("password", salt=crypt.METHOD_MD5)
Example Output 
> precli tests/unit/rules/python/stdlib/crypt/examples/crypt_crypt_method_md5.py
⚠️  Warning on line 4 in tests/unit/rules/python/stdlib/crypt/examples/crypt_crypt_method_md5.py
PY002: Use of Weak Hash
Use of weak hash function 'crypt.METHOD_MD5' does not meet security expectations.
crypt_mksalt_method_crypt.py
1
2
3
4
import crypt


crypt.mksalt(crypt.METHOD_CRYPT)
Example Output 
> precli tests/unit/rules/python/stdlib/crypt/examples/crypt_mksalt_method_crypt.py
⚠️  Warning on line 4 in tests/unit/rules/python/stdlib/crypt/examples/crypt_mksalt_method_crypt.py
PY002: Use of Weak Hash
Use of weak hash function 'crypt.METHOD_CRYPT' does not meet security expectations.

Remediation

The recommendation is to swap the insecure hashing method to one of the more secure alternatives, SHA256 or SHA512.

crypt_crypt_method_md5.py
1
2
3
4
import crypt


crypt.crypt("password", salt=crypt.METHOD_SHA256)
crypt_mksalt_method_crypt.py
1
2
3
4
import crypt


crypt.mksalt(crypt.METHOD_SHA512)

Alternatives to Crypt

There are a number of alternatives to weak hashing functions. These alternatives include bcrypt, pbkdf2, and scrypt.

  • bcrypt is a secure password hashing function that is based on the Blowfish block cipher. Bcrypt is considered to be one of the most secure password hashing functions available.

  • PBKDF2 is a secure password hashing function that is based on the HMAC cryptographic function. PBKDF2 is considered to be one of the most secure password hashing functions available.

  • scrypt is a secure password hashing function that is based on the bcrypt algorithm. Scrypt is designed to be more secure than bcrypt, and it is also more resistant to GPU-based attacks.

Default Configuration

enabled = true
level = "warning"

See also

Info

New in version 0.1.0