On Mon, 30 Aug 2004, Andrew Jorgensen wrote:
> > They're probably not different. Each time you change your password, the
> > system selects a random salt which is combined with the password before
> > hashing and saved in the clear before the password hash. Its purpose is to
> > prevent exactly what you just tried - hashing every word in a dictionary to
> > see which hashes match up. With salt, you'd have to hash every word with
> > every possible salt.
>
> So is the salt stored with the hash? If so, what's the point? If not,
> where is the salt stored?
Yes, it's saved in the clear before the password hash in /etc/shadow. Its
purpose is to prevent [...] hashing every word in a dictionary to see which
hashes match up. With salt, you'd have to hash every word with every possible
salt.
Dictionary attack programs take a middle road of looking at all the salts in
the /etc/shadow file you're attacking and hashing each word in the dict with
every salt in the file and looking for matches. So for your 1 million entry
dictionary and 1000 entry /etc/shadow (each with different salt), you have to
compute 1 billion hashes instead of 1 million.
-J
____________________
BYU Unix Users Group
http://uug.byu.edu/
___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
