From owner-freebsd-questions Wed Aug 23 10:39: 7 2000 Delivered-To: freebsd-questions@freebsd.org Received: from smtpproxy1.mitre.org (mb-20-100.mitre.org [129.83.20.100]) by hub.freebsd.org (Postfix) with ESMTP id 50A4E37B423 for ; Wed, 23 Aug 2000 10:39:00 -0700 (PDT) Received: from avsrv1.mitre.org (avsrv1.mitre.org [129.83.20.58]) by smtpproxy1.mitre.org (8.9.3/8.9.3) with ESMTP id JAA17536 for ; Wed, 23 Aug 2000 09:04:51 -0400 (EDT) Received: from mailsrv2.mitre.org (mailsrv2.mitre.org [129.83.221.17]) by smtpsrv1.mitre.org (8.9.3/8.9.3) with ESMTP id JAA08229 for ; Wed, 23 Aug 2000 09:02:20 -0400 (EDT) Received: from mitre.org ([128.29.145.140]) by mailsrv2.mitre.org (Netscape Messaging Server 4.1) with ESMTP id FZQXO100.84D; Wed, 23 Aug 2000 09:04:49 -0400 Message-ID: <39A3CA70.7F871682@mitre.org> Date: Wed, 23 Aug 2000 08:58:25 -0400 From: "Andresen,Jason R." Organization: The MITRE Corporation X-Mailer: Mozilla 4.73 [en]C-20000509M (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: D M P Cc: Chris Fedde , freebsd-questions@FreeBSD.ORG Subject: Re: More questions about passwords [Was: Re: Encrypting a password for insertion using chpass(1)?] References: <200008210537.e7L5bNj25784@fedde.littleton.co.us> <39A36B63.7A5292F9@aracnet.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG D M P wrote: > > I was looking at the output crypt() produces, and saw that the first > eight characters of the cleartext password are visible between the > second and third $'s. From reading the assorted docs about how this > works, I'm thinking those eight characters are (forgive the lack of > proper terms) the "key" used for the original password encryption, and > are kept there so that the same key is used everytime login checks for > a password match, right? > > Assuming that I am right, logic follows that if I generated a eight > random characters to use instead, that it would still work, and the > cleartext wouldn't be seen in the cypher. My question is, how do I > input those characters? Is that the salt I pass to perl's crypt()? > Can it be any 64-bit value, or does it have to be comprised of the > 64 characters mentioned in crypt(3)? > Yes, those characters are the salt, and they can be anything you want them to be. By the way, one thing that is important is to get a truely random salt value, since pseudorandom salt values are easier to crack. This is not easy on a computer, rand() and even random() are not up to the task, and the Camel book's suggestion is terrible (they use the first few bytes of ps output piped to gzip, which is always the gzip magic number!). Generally people try something like two random bytes in the current system time munged with ps output compressed with gzip. -- _ _ _ ___ ____ ___ ______________________________________ / \/ \ | ||_ _|| _ \|___| | Jason Andresen -- jandrese@mitre.org / /\/\ \ | | | | | |/ /|_|_ | Views expressed may not reflect those /_/ \_\|_| |_| |_|\_\|___| | of the Mitre Corporation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message