This is the recommended way to check an untrusted user's password guess against a password database. The naïve method of crypt()ing the password and comparing it using == is vulnerable to a timing attack that leaks the hashed password, allowing the attacker to run their own guesses offline.
An attacker timing the response of this function can guess the algorithm used for hashing, but not easily figure out the hash or right password.
Test a password against the given crypt(3) string
This is the recommended way to check an untrusted user's password guess against a password database. The naïve method of crypt()ing the password and comparing it using == is vulnerable to a timing attack that leaks the hashed password, allowing the attacker to run their own guesses offline.
An attacker timing the response of this function can guess the algorithm used for hashing, but not easily figure out the hash or right password.