On Sat, Aug 03, 2019 at 10:32:02AM -0400, Gene Heskett wrote:
> On Saturday 03 August 2019 10:03:18 David Wright wrote:
[...]
> > AIUI passwords are not encrypted, they're hashed.
Yep. In theory, there's no "way back" from the hash to the
password. In practice, though...
> And apparently each hash is unique? I've checked 4 machines here, and the
> shadow files entry for me is different on all 4 machines.
That's the salt. To make "reverse lookup" attacks more difficult
for "typical" passwords, some salt is added: a small random prefix,
which is typically included in the hashed password info (it better
had, otherwise you can't check the password)
Here's a typical shadow entry (somewhat modified and very much
shortened, to protect the innocent ;-)
username:$6$lU7moTub$AmalgHken:18080:0:99999:7:::
^ ^ ----^--- ----^----
| | | | other stuff
| | | hash of (salt + password) (here shortened)
| | salt
| hash algorithm (6 = sha512)
user name
See man crypt(3) for details (the crypt chapter in libc's info is more
informative). The actual representation as characters is most probably
base64 encoded.
In short, yes, assuming your random number generator isn't broken,
you'll get a different salt every round and thus a different password
hash. So we hope :-)
Cheers
-- tomás
Attachment:
signature.asc
Description: Digital signature