Perl crypt() - MAJOR security bug???

[Douglas Garstang]

I've come across something with the perl crypt() function that I just just
understand!

Take the example below....

$pwd = (getpwnam("john"))[1];
$word="password";
$salt = substr($pwd, 0, 2);

if (crypt($word, $salt) ne $pwd) {
die "Sorry...\n";
} else {
print "ok\n";
}

Assuming john's password IS 'password' this all works fine.

If I change the password to 'passwordX'... crypt() STILL says it is fine.

What on EARTH????

Replies to dgar...@nsw.bigpond.net.au

Thanks