Re: Hash salt (was Re: BCRYPT - Why not using it?)

On Wed, Apr 06, 2011 at 06:37:38PM -1000, Joel Roth wrote:
So is the salt a fixed number of characters?

From system to system, it varies. On my Fedora 14 virtual machine, it's 16
characters. On Debian 6.0 stable, it's 8.

Otherwise, how would a process know which portion of the
string is the salt?

You can read the shadow(5) manual on your Debian system to learn about the
syntax of the password. However, I'll give you the rundown:

The password is separated by '$'. Between the first and second '$' tells
the process what algorithm to use for the hash (MD5, SHA1, bcrypt, etc.).
Between the second and third '$' is the salt itself. After the third '$' is
the hash.

. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o

Attachment: signature.asc
Description: Digital signature

Relevant Pages

  • Re: Encyption
    ... password + salt to produce a unique password ... using HMACxxx is the wrong approach - or do you want to encrypt the hash? ... my problem is that even if i have a string that is 20 characters long ... private string HashString ...
  • Re: Reversible hash to transform series of small integers into well-distributed output values?
    ... standard hash isnt' reversible. ... > I'm trying to find a reasonable REVERSIBLE scheme for generating long, ... > generating a random string of random length and prepending it to each ... > and I'd like to use a different salt for each active user (generated ...
  • Re: salted md5 hash
    ... that method generates long hash values, ... So you need to salt the string before ... >> How can I get hash value for a specified string with specified salt? ...
  • RE: salted md5 hash
    ... So you need to salt the string before creating the hash and then store the salt along with the hashed pwd for retrival. ... > not find anything about salted md5 algorithm. ...
  • Re: Best way to encrypt password in database.
    ... Yep, that's the traditional way to do it, hash the password every logon ... If you password hashes ... Oh and BTW, never use MD5 for anything security related, it is broken ... Any of these one way hashes still needs a salt combined with it. ...