canCryptTo

Test a password against the given crypt(3) string

This is the recommended way to check an untrusted user's password guess against a password database. The naïve method of crypt()ing the password and comparing it using == is vulnerable to a timing attack that leaks the hashed password, allowing the attacker to run their own guesses offline.

An attacker timing the response of this function can guess the algorithm used for hashing, but not easily figure out the hash or right password.

@safe
bool
canCryptTo
(
const(char)[] password
,
const(char)[] crypted
)

Examples

import std.stdio;
const password_guess = "hunter2";
const crypted = "$1$ZjzxeLeq$WXTi8xm9qRouh1zB8tyxX0";
if (password_guess.canCryptTo(crypted))
{
	// welcomeUserIn();
}
else
{
	// kickUserOut();
	assert (false);
}

Meta