On Sat, Aug 03, 2019 at 10:32:02AM -0400, Gene Heskett wrote: > On Saturday 03 August 2019 10:03:18 David Wright wrote: [...] > > AIUI passwords are not encrypted, they're hashed. Yep. In theory, there's no "way back" from the hash to the password. In practice, though... > And apparently each hash is unique? I've checked 4 machines here, and the > shadow files entry for me is different on all 4 machines. That's the salt. To make "reverse lookup" attacks more difficult for "typical" passwords, some salt is added: a small random prefix, which is typically included in the hashed password info (it better had, otherwise you can't check the password) Here's a typical shadow entry (somewhat modified and very much shortened, to protect the innocent ;-) username:$6$lU7moTub$AmalgHken:18080:0:99999:7::: ^ ^ ----^--- ----^---- | | | | other stuff | | | hash of (salt + password) (here shortened) | | salt | hash algorithm (6 = sha512) user name See man crypt(3) for details (the crypt chapter in libc's info is more informative). The actual representation as characters is most probably base64 encoded. In short, yes, assuming your random number generator isn't broken, you'll get a different salt every round and thus a different password hash. So we hope :-) Cheers -- tomás
Attachment:
signature.asc
Description: Digital signature