Re: Hash salt (was Re: BCRYPT - Why not using it?)

On Wed, Apr 06, 2011 at 06:37:38PM -1000, Joel Roth wrote:
So is the salt a fixed number of characters?

From system to system, it varies. On my Fedora 14 virtual machine, it's 16
characters. On Debian 6.0 stable, it's 8.

Otherwise, how would a process know which portion of the
string is the salt?

You can read the shadow(5) manual on your Debian system to learn about the
syntax of the password. However, I'll give you the rundown:

The password is separated by '$'. Between the first and second '$' tells
the process what algorithm to use for the hash (MD5, SHA1, bcrypt, etc.).
Between the second and third '$' is the salt itself. After the third '$' is
the hash.

. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o

Attachment: signature.asc
Description: Digital signature