Re: Hashed PW's more secure than encrypted PW's?

From: Bernd Eckenfels (ecki-news2002-06@lina.inka.de)
Date: 06/19/02


From: Bernd Eckenfels <ecki-news2002-06@lina.inka.de>
Date: 19 Jun 2002 00:19:41 GMT

sakky <sakhalinrf@hotmail.com> wrote:
> So then this salt must be in plain text somewhere. Where would it be? Can
> I see it?

For traditional unix crypt it is the first two letters in the password hash.

BTW: this is well documented in the crypt(3) man page. On systems with good
man pages, i.e. freeBSD you can also read about the advanced hashings with
modular ciphers.

> Would you happen to know some examples of some Unix flavors that do it this
> way as opposed to DES?

Linux starting with the shadow suite, all Systems supporting PAM (Linux,
Solaris). The FreeBSD has a modular password hashing. Even apache nowadays
uses the md5 hashes.

> Which field is the salt?

it is part of the encrypted password field, for crypt it is the first 2
chars. md5 password fields start with $1$ then you will find the salt (max 8
chars) and then a $ again. and then the result of the hash

$1$xxYe4beH$Lp5.QlD8M2NSeDiaY7fCL1

this is the password test with the salt xxYe4beH

For the detailed program constructing the hash, see for example:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pam/Linux-PAM/modules/pam_unix/md5_crypt.c?rev=1.2&content-type=text/vnd.viewcvs-markup

Greetings
Bernd



Relevant Pages

  • Re: Hashed PWs more secure than encrypted PWs?
    ... > So then this salt must be in plain text somewhere. ... For traditional unix crypt it is the first two letters in the password hash. ... it is part of the encrypted password field, for crypt it is the first 2 ...
    (comp.security.unix)
  • Re: Best way to encrypt password in database.
    ... Yep, that's the traditional way to do it, hash the password every logon ... If you password hashes ... Oh and BTW, never use MD5 for anything security related, it is broken ... Any of these one way hashes still needs a salt combined with it. ...
    (comp.lang.php)
  • Re: Best way to encrypt password in database.
    ... Yep, that's the traditional way to do it, hash the password every logon ... If you password hashes ... Oh and BTW, never use MD5 for anything security related, it is broken ... Any of these one way hashes still needs a salt combined with it. ...
    (comp.lang.php)
  • Re: Best way to encrypt password in database.
    ... Yep, that's the traditional way to do it, hash the password every logon ... If you password hashes ... The fix is to add a salt to thwart the rainbow tables and a have the ... Oh and BTW, never use MD5 for anything security related, it is broken ...
    (comp.lang.php)
  • A key stretching algorithm with pre-shared keyword for symmetric encryption
    ... I'd like to discuss a key stretching algorithm for symmetric encryption for secure file exchange with pre-shared keywords. ... My idea is to use an intermediate key and two different salt where the final key hash will be computed in two separate hashing sessions but additionally inside each hashing session the salt will be altered also by a special function, in the example Python listing below just two simple byte swap of hash values followed by a bit-wise exclusive or calculation in order to generate a "rolling" salt. ...
    (sci.crypt)