[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hash salt (was Re: BCRYPT - Why not using it?)

On Wed, Apr 06, 2011 at 10:40:58PM -0500, Boyd Stephen Smith Jr. wrote:
> In <[🔎] 4D9D1B22.2010608@cox.net>, Ron Johnson wrote:
> >On 04/06/2011 08:19 PM, Aaron Toponce wrote:
> >> First, if you don't have the salt, but you do have the hash, then a
> >> rainbow table attack is completely pointless.
> >
> >The OS must store the salt somewhere, in order to correctly authenticate
> >the user when he logs in.  But I've never heard of /etc/hashsalt so what
> >am I misunderstanding?
> 
> The value stored in /etc/shadow is both the salt + the encrypted 
> salt+password.  This allows a process with read access to /etc/shadow to 
> easily read the shadow, encrypt the salt + provided password, and compare the 
> result to the encrypted salt+password.  The salt is randomly generated each 
> time the password is set, and it (usually) different for each entry in 
> /etc/shadow.

So is the salt a fixed number of characters? 

Otherwise, how would a process know which portion of the
string is the salt?

Regards,

-- 
Joel Roth
Reply to: