Date: Sat, 29 Dec 2001 23:00:12 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: Rik <freebsd-security@rikrose.net> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: MD5 password salt calculation Message-ID: <20011229224936.E46948-100000@catalyst.sasknow.net> In-Reply-To: <20011230043020.A9927@spoon.pkl.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Rik wrote to Ryan Thompson: Hi Rik, > Salt is just some randomness thrown in so that you can't just make > a standard dictionary to compare hashed passwords with. All you > need to do is make the relevant number of random chars. Right.. I gather it's still the convention to use $1$ to differentiate between DES/MD5, in the case where both password formats are being imported. Is $1$ pretty much caught on everywhere? I've seen it in OpenBSD and NetBSD, probably even Linux, but it's been awhile since I looked. > Personally, I just run the current time as a string (from > strftime(3)) through the hash, and take the first couple of chars > as an index into an array of allowable chars (modulo the size of > the array, obviously). > > I'm sure someone on this list will tell us if that's a completely > stupid way of generating salt... :-) Well, it doesn't sound too unreasonable...(though using integer time would be faster by a mult. constant if your process is CPU bound) the approaches that I've seen use some kind of random data (like current sec+usec) passed through a char array... so I suppose that's essentially the same thing. - Ryan -- Ryan Thompson <ryan@sasknow.com> Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011229224936.E46948-100000>