Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 5 Apr 2006 04:46:13 +0400
From: Solar Designer <>
Subject: Re: about salts

On Tue, Apr 04, 2006 at 06:54:09PM -0500, Dennis Olvany wrote:
> Salts are added to passwords before hashing. Does a system normally use 
> the same salt for the entire password file or is a different salt 
> generally used for each different password?

The latter.  Salts are typically picked at random.

> How does a system know which salt to use to rehash passwords in the 
> future for authentication? I suppose the system stores a mapping 
> somewhere of salts to usernames.

Salts are encoded along with hashes.  With the traditional crypt(3), the
first 2 characters of the 13-character encoding are the salt (12 bits,
for 4096 possibilities).

> Here's some output from john.
> Loaded 3 password hashes with 3 different salts (Traditional DES [24/32 4K])
> So, john can tell from the hashes that different salts are used 
> throughout the file?


This output also tells me one other thing - you're probably using a
non-MMX build of John on an x86 processor.  If so, you can get some
substantial speedup by switching to the MMX build, unless your CPU is
truly ancient.

Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Was I helpful?  Please give your feedback here:

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ