On Tue, 2006-07-04 at 07:15 +0200, Paul de Weerd wrote: > | So, you are suggesting using something other than the hash stored in > | OpenBSD's master.passwd then? > > Why exactly would we need another hash ?
Because the hashes in master.passwd are salted, as you come to realise yourself further down in your post. > | If not try this: > | Add a user, nothing special. > | Record the hash from master.passwd > | Log in as the test user. > | Change "your" password. > | Change it back. > | Compare the hashes. > | Different eh? > > How come these are different ? What happened ? It's still the same > password, right ? How can one string hash to two different outputs ? Because the hashes in master.passwd are salted, as you come to realise yourself further down in your post. > | So you need to change to a less secure password hash method. > > Why ? Because the hashes in master.passwd are salted, as you come to realise yourself further down in your post. > Your password is not hashed as-is. A salt is added (for extra flavour) > before hashing. Quite. Cheers Steffen.
