Re: Password salt

To: <debian-user@lists.debian.org>
Subject: Re: Password salt
From: Rick Thomas <Rick.Thomas@pobox.com>
Date: Fri, 08 Jun 2012 02:26:35 -0700
Message-id: <[🔎] b7bfe0e229b6aeef169e2e4b1de528cf@pobox.com>
In-reply-to: <[🔎] 4FD1C074.1020208@gmail.com>
References: <[🔎] 4FD1BE86.1090203@gmail.com> <[🔎] 4FD1BFB3.1020001@qindel.com> <[🔎] 4FD1C074.1020208@gmail.com>



On Fri, 08 Jun 2012 12:05:56 +0300, Lars Noodén wrote:

On 6/8/12 12:02 PM, Alberto Fuentes wrote:

On 06/08/2012 10:57 AM, Lars Noodén wrote:

The hashed password + salt is stored in /etc/shadow.  Where is the
actual password salt for Debian stored?

Yes, I understand that the salt is different and random for each
password, but how is it stored so that the hash can be used for
authentication?  Sorry for the dumb questions.

Regards,
/Lars

The salt is stored in the password entry in the shadow file along withthe result of hash(salt+actualTextPassword).

The fact that the salt is "public" (quotes because /etc/shadow isreadable only by root in most systems) does not detract from itsusefulness. Its purpose is to multiply the necessary size of thereverse-look-up table needed in a time-vs-space tradeoff brute-forceattack.


It's all explained in this wikipedia article.
http://en.wikipedia.org/wiki/Salt_(cryptography)

Rick

Reply to:

References:
- Password salt
  - From: Lars Noodén <lars.nooden@gmail.com>
- Re: Password salt
  - From: Alberto Fuentes <alberto.fuentes@qindel.com>
- Re: Password salt
  - From: Lars Noodén <lars.nooden@gmail.com>

Prev by Date: Re: Password salt
Next by Date: security update glibc message
Previous by thread: Re: Password salt
Next by thread: security update glibc message
Index(es):
- Date
- Thread