Re: Hash salt (was Re: BCRYPT - Why not using it?)



On Wed, Apr 06, 2011 at 10:40:58PM -0500, Boyd Stephen Smith Jr. wrote:
In <4D9D1B22.2010608@xxxxxxx>, Ron Johnson wrote:
On 04/06/2011 08:19 PM, Aaron Toponce wrote:
First, if you don't have the salt, but you do have the hash, then a
rainbow table attack is completely pointless.

The OS must store the salt somewhere, in order to correctly authenticate
the user when he logs in. But I've never heard of /etc/hashsalt so what
am I misunderstanding?

The value stored in /etc/shadow is both the salt + the encrypted
salt+password. This allows a process with read access to /etc/shadow to
easily read the shadow, encrypt the salt + provided password, and compare the
result to the encrypted salt+password. The salt is randomly generated each
time the password is set, and it (usually) different for each entry in
/etc/shadow.

So is the salt a fixed number of characters?

Otherwise, how would a process know which portion of the
string is the salt?

Regards,

--
Joel Roth


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: 20110407043738.GA23159@sprite">http://lists.debian.org/20110407043738.GA23159@sprite