More formally, crypt provides cryptographic key derivation functions for password validation and storage on Unix systems.
Modern Unix implementations of the crypt library routine support a variety of hash schemes.
The particular hash algorithm used can be identified by a unique code prefix in the resulting hashtext, following a de facto standard called Modular Crypt Format.
[2][3][4] The crypt() library function is also included in the Perl,[5] PHP,[6] Pike,[7] Python[8] (although it is now deprecated as of 3.11), and Ruby[9] programming languages.
To enable backward compatibility, each scheme started using some convention of serializing the password hashes that was later called the Modular Crypt Format (MCF).
[3] The original implementation of the crypt() library function[11] in Third Edition Unix[12] mimicked the M-209 cipher machine.
The traditional DES-based crypt algorithm was originally chosen because DES was resistant to key recovery even in the face of "known plaintext" attacks, and because it was computationally expensive.
Moore's Law has generally held true, so the computer speed and capacity available for a given financial investment has doubled over 20 times since Unix was first written.
Then this digest is passed through a thousand iterations of a function which rehashes it together with the passphrase and salt in a manner that varies between rounds.
The fixed iteration count has caused this scheme to lose the computational expense that it once enjoyed and variable numbers of rounds are now favoured.
In June 2012, Poul-Henning Kamp declared the algorithm insecure and encouraged users to migrate to stronger password scramblers.
[14] Niels Provos and David Mazières designed a crypt() scheme called bcrypt based on Blowfish, and presented it at USENIX in 1999.
[15] The printable form of these hashes starts with $2$, $2a$, $2b$, $2x$ or $2y$ depending on which variant of the algorithm is used: Blowfish is notable among block ciphers for its expensive key setup phase.
In light of these facts, Ulrich Drepper [de] of Red Hat led an effort to create a scheme based on the SHA-2 (SHA-256 and SHA-512) hash functions.
Its design is similar to the MD5-based crypt, with a few notable differences:[21] The specification and sample code have been released into the public domain; it is often referred to as "SHAcrypt".
[29] The GNU C Library (glibc) used by almost all Linux distributions provides an implementation of the crypt function which supports the DES, MD5, and (since version 2.7) SHA-2 based hashing algorithms mentioned above.
Ulrich Drepper, the glibc maintainer, rejected bcrypt (scheme 2) support since it isn't approved by NIST.
The traditional DES code is based on the BSD FreeSec, with modification to be compatible with the glibc UFC-Crypt.