Re: Password encrypting
On Wed, 30 May 2001, Robert Magier wrote: Values of encrypted passwords are diffrent each time I use makepasswd. So, how the login program check my password? I tested if I can login to the system for each of this values ( I write it down to the /etc/shadow ) and I could. The crypt() function takes a salt value: char *crypt(const char *key, const char *salt); The salt is some random value that is used in the encryption algorithm, two-characters chosen from the set [a-zA-Z0-9./]. These two characters are then stored as the first two characters of the crypted password. That way, when you log in, the password you type along with the first two characters of the crypted password is handed to crypt(). If the resulting string is the same as the stored encrypted password, you are allowed to log in. regards, Izak -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Izak Burger ([EMAIL PROTECTED]) http://www.cs.sun.ac.za/ Tel. +27 21 808 4863 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= A big enough hammer can usually fix anything. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Password encrypting
On Fri, 1 Jun 2001, Izak Burger wrote: [cut] The salt is some random value that is used in the encryption algorithm, two-characters chosen from the set [a-zA-Z0-9./]. These two characters are then stored as the first two characters of the crypted password. That way, when you log in, the password you type along with the first two characters of the crypted password is handed to crypt(). If the resulting string is the same as the stored encrypted password, you are allowed to log in. (nitpicking: it's technically not encrypting the password -- it's hashing) As an additional comment, the reason for doing this is to make dictionary attacks harder. Without the salt, an attacker could produce a database of common words, names, etc. (whatever things people often use for passwords) along with their hashed values, and then compare the database contents with the contents of /etc/shadow. With the salt, the attacker would need a database with his/her wordlist along with hashed values for all possible salt values, which would be very expensive (computationally and space-wise). Of course, just because the system uses a salt doesn't mean you can feel safe using a common word as your password. Another reason for salting is that if two users happen to use the same password (which shouldn't happen if they followed good password selection rules) you wouldn't want either user to know about this by looking at /etc/shadow. -- Hubert Chan Research Associate Prediction in Interacting Systems (MITACS-PINTS) University of Alberta Office: CAB 522 Ph: 492-4394 e-mail: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Password encrypting
I wonder how password encryption works At first I thought that thist looks smth like this Encrypted passwords are kept in /etc/shadow When I want to log in . My password is being crypted and then compared with this in /etc/shadow one. This happens because there is no (back-working) crypt function, this normal i think:) But i did somethink like this Using makepasswd, i generated five times encrypted password test makepasswd --clearfrom=test --crypt test og3NysIaK3F2Q test Xt9Haq8tgqcBs test zAh5NM1W8IxC6 test Rm.d1pCc..Lfc test xSOOXEb6t2r6E Values of encrypted passwords are diffrent each time I use makepasswd. So, how the login program check my password? I tested if I can login to the system for each of this values ( I write it down to the /etc/shadow ) and I could. HOW does it works ? -- ROBERT MAGIER
Re: Password encrypting
On Wed, 30 May 2001, Robert Magier wrote: Values of encrypted passwords are diffrent each time I use makepasswd. So, how the login program check my password? I tested if I can login to the system for each of this values ( I write it down to the /etc/shadow ) and I could. The crypt() function takes a salt value: char *crypt(const char *key, const char *salt); The salt is some random value that is used in the encryption algorithm, two-characters chosen from the set [a-zA-Z0-9./]. These two characters are then stored as the first two characters of the crypted password. That way, when you log in, the password you type along with the first two characters of the crypted password is handed to crypt(). If the resulting string is the same as the stored encrypted password, you are allowed to log in. regards, Izak -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Izak Burger ([EMAIL PROTECTED]) http://www.cs.sun.ac.za/ Tel. +27 21 808 4863 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= A big enough hammer can usually fix anything.
Re: Password encrypting
On Fri, 1 Jun 2001, Izak Burger wrote: [cut] The salt is some random value that is used in the encryption algorithm, two-characters chosen from the set [a-zA-Z0-9./]. These two characters are then stored as the first two characters of the crypted password. That way, when you log in, the password you type along with the first two characters of the crypted password is handed to crypt(). If the resulting string is the same as the stored encrypted password, you are allowed to log in. (nitpicking: it's technically not encrypting the password -- it's hashing) As an additional comment, the reason for doing this is to make dictionary attacks harder. Without the salt, an attacker could produce a database of common words, names, etc. (whatever things people often use for passwords) along with their hashed values, and then compare the database contents with the contents of /etc/shadow. With the salt, the attacker would need a database with his/her wordlist along with hashed values for all possible salt values, which would be very expensive (computationally and space-wise). Of course, just because the system uses a salt doesn't mean you can feel safe using a common word as your password. Another reason for salting is that if two users happen to use the same password (which shouldn't happen if they followed good password selection rules) you wouldn't want either user to know about this by looking at /etc/shadow. -- Hubert Chan Research Associate Prediction in Interacting Systems (MITACS-PINTS) University of Alberta Office: CAB 522 Ph: 492-4394 e-mail: [EMAIL PROTECTED]