On Fri, 1 Jun 2001, Izak Burger wrote: [cut]
> The "salt" is some random value that is used in the encryption > algorithm, two-characters chosen from the set [a-zA-Z0-9./]. These > two characters are then stored as the first two characters of the crypted > password. That way, when you log in, the password you type along with the > first two characters of the crypted password is handed to crypt(). If the > resulting string is the same as the stored encrypted password, you are > allowed to log in. (nitpicking: it's technically not encrypting the password -- it's hashing) As an additional comment, the reason for doing this is to make dictionary attacks harder. Without the salt, an attacker could produce a database of common words, names, etc. (whatever things people often use for passwords) along with their hashed values, and then compare the database contents with the contents of /etc/shadow. With the salt, the attacker would need a database with his/her wordlist along with hashed values for all possible salt values, which would be very expensive (computationally and space-wise). Of course, just because the system uses a salt doesn't mean you can feel safe using a common word as your password. Another reason for salting is that if two users happen to use the same password (which shouldn't happen if they followed good password selection rules) you wouldn't want either user to know about this by looking at /etc/shadow. -- Hubert Chan Research Associate Prediction in Interacting Systems (MITACS-PINTS) University of Alberta Office: CAB 522 Ph: 492-4394 e-mail: [EMAIL PROTECTED]