Date: Wed, 23 Aug 2000 08:58:25 -0400 From: "Andresen,Jason R." <jandrese@mitre.org> To: D M P <dmp@aracnet.com> Cc: Chris Fedde <chris@fedde.littleton.co.us>, freebsd-questions@FreeBSD.ORG Subject: Re: More questions about passwords [Was: Re: Encrypting a password for insertion using chpass(1)?] Message-ID: <39A3CA70.7F871682@mitre.org> References: <200008210537.e7L5bNj25784@fedde.littleton.co.us> <39A36B63.7A5292F9@aracnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
D M P wrote: > > I was looking at the output crypt() produces, and saw that the first > eight characters of the cleartext password are visible between the > second and third $'s. From reading the assorted docs about how this > works, I'm thinking those eight characters are (forgive the lack of > proper terms) the "key" used for the original password encryption, and > are kept there so that the same key is used everytime login checks for > a password match, right? > > Assuming that I am right, logic follows that if I generated a eight > random characters to use instead, that it would still work, and the > cleartext wouldn't be seen in the cypher. My question is, how do I > input those characters? Is that the salt I pass to perl's crypt()? > Can it be any 64-bit value, or does it have to be comprised of the > 64 characters mentioned in crypt(3)? > Yes, those characters are the salt, and they can be anything you want them to be. By the way, one thing that is important is to get a truely random salt value, since pseudorandom salt values are easier to crack. This is not easy on a computer, rand() and even random() are not up to the task, and the Camel book's suggestion is terrible (they use the first few bytes of ps output piped to gzip, which is always the gzip magic number!). Generally people try something like two random bytes in the current system time munged with ps output compressed with gzip. -- _ _ _ ___ ____ ___ ______________________________________ / \/ \ | ||_ _|| _ \|___| | Jason Andresen -- jandrese@mitre.org / /\/\ \ | | | | | |/ /|_|_ | Views expressed may not reflect those /_/ \_\|_| |_| |_|\_\|___| | of the Mitre Corporation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39A3CA70.7F871682>