Differences between current version and revision by previous author of PasswordEncryption.
Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History
Newer page: | version 2 | Last edited on Monday, September 1, 2003 1:21:35 am | by AristotlePagaltzis | |
Older page: | version 1 | Last edited on Sunday, August 10, 2003 4:07:50 pm | by PerryLorier | Revert |
@@ -3,19 +3,12 @@
Under unix this is done with the crypt(3) function call, and passwords are usually stored either covered by a one way hash using DES, SHA-1 or MD5.
A problem with just hashing passwords is that people can take a dictionary of commonly used passwords and hash them all, then when they get a password file[1] they can compare the passwords in the password file against their list of hashes to find common passwords. To combat this people add "salt" to their password, ie: they add a random prefix to the password when they encrypt it, and then check to see if it's the same.
-For example, if we're using the password "
samsam"
we might add the salt of "
q6"
+For example, if we're using the password __
samsam__
we might add the salt of __
q6__. So we hash __q6samsam__ and get __LHtEJQdGJW2__. Then we put the salt onto the beginning of this string to give us __q6LHtEJQdGJW2__, and this would go into the password file.
-so we hash "
q6samsam"
and get "
LHtEJQdGJW2"
+When someone logs in we want to check to see if the password they presented is the same as in the password file,
so we take the password
hash in the password file __q6LHtEJQdGJW2__, remove the first two letters (q6), add them to the beginning of password that the user entered (samsam), and hash __
q6samsam__
and get __
LHtEJQdGJW2__, we compare this against the rest of the password hash, see that it's a match, and then let !SamJenson login.
-then we put the salt onto the beginning of this string to give us:
- q6LHtEJQdGJW2
-
-and this would go into the password file.
-
-When someone logs in we want to check to see if the password they presented is the same as in the password file, so we take the password hash in the password file "q6LHtEJQdGJW2", remove the first two letters (q6), add them to the beginning of password that the user entered (samsam), and hash "q6samsam" and get "LHtEJQdGJW2", we compare this against the rest of the password hash, see that it's a match, and then let SamJenson login.
-
-
There are 4096 different possible salts under unix
, which means that while you could generate a huge password hash list , it would have to be 4096 times larger than a normal one. Microsoft Windows
doesn't use salts for it's
passwords and is venerable
to this kind of attack.
+There are 4096 different possible salts under Unix
, which means that while you could generate a huge password hash list, it would have to be 4096 times larger than a normal one. Nowadays, though, this is hardly a hindrance anymore. MicrosoftWindows
doesn't use salts for its
passwords and is more vulnerable
to this kind of attack.
----
[1]: Much harder to do now that everyone has shadow files.