Re: Hash salt (was Re: BCRYPT - Why not using it?)
On Wed, Apr 06, 2011 at 10:40:58PM -0500, Boyd Stephen Smith Jr. wrote:
> In <[🔎] 4D9D1B22.2010608@cox.net>, Ron Johnson wrote:
> >On 04/06/2011 08:19 PM, Aaron Toponce wrote:
> >> First, if you don't have the salt, but you do have the hash, then a
> >> rainbow table attack is completely pointless.
> >
> >The OS must store the salt somewhere, in order to correctly authenticate
> >the user when he logs in. But I've never heard of /etc/hashsalt so what
> >am I misunderstanding?
>
> The value stored in /etc/shadow is both the salt + the encrypted
> salt+password. This allows a process with read access to /etc/shadow to
> easily read the shadow, encrypt the salt + provided password, and compare the
> result to the encrypted salt+password. The salt is randomly generated each
> time the password is set, and it (usually) different for each entry in
> /etc/shadow.
So is the salt a fixed number of characters?
Otherwise, how would a process know which portion of the
string is the salt?
Regards,
--
Joel Roth
Reply to: