Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 5 Apr 2006 04:46:13 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: about salts

On Tue, Apr 04, 2006 at 06:54:09PM -0500, Dennis Olvany wrote:
> Salts are added to passwords before hashing. Does a system normally use 
> the same salt for the entire password file or is a different salt 
> generally used for each different password?

The latter.  Salts are typically picked at random.

> How does a system know which salt to use to rehash passwords in the 
> future for authentication? I suppose the system stores a mapping 
> somewhere of salts to usernames.

Salts are encoded along with hashes.  With the traditional crypt(3), the
first 2 characters of the 13-character encoding are the salt (12 bits,
for 4096 possibilities).

> Here's some output from john.
> 
> Loaded 3 password hashes with 3 different salts (Traditional DES [24/32 4K])
> 
> So, john can tell from the hashes that different salts are used 
> throughout the file?

Yes.

This output also tells me one other thing - you're probably using a
non-MMX build of John on an x86 processor.  If so, you can get some
substantial speedup by switching to the MMX build, unless your CPU is
truly ancient.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ