Password salt

On 6/8/12 12:02 PM, Alberto Fuentes wrote:

On 06/08/2012 10:57 AM, Lars Noodén wrote:

The hashed password + salt is stored in /etc/shadow. Where is the
actual password salt for Debian stored?

Regards,
/Lars

From what i see, the password salt is different for each password... so
i guess its different each time a password is generated. It makes sense
since its saved along the password itself, so its more secure than
having a single salt, at no extra cost

greets!
aL

Yes, I understand that the salt is different and random for each
password, but how is it stored so that the hash can be used for
authentication? Sorry for the dumb questions.

Regards,
/Lars


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/

On 06/08/2012 10:57 AM, Lars Noodén wrote:

The hashed password + salt is stored in /etc/shadow. Where is the
actual password salt for Debian stored?

Regards,
/Lars

From what i see, the password salt is different for each password... so
i guess its different each time a password is generated. It makes sense
since its saved along the password itself, so its more secure than
having a single salt, at no extra cost

greets!
aL


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/

On 06/08/2012 11:05 AM, Lars Noodén wrote:

On 6/8/12 12:02 PM, Alberto Fuentes wrote:

On 06/08/2012 10:57 AM, Lars Noodén wrote:

The hashed password + salt is stored in /etc/shadow. Where is the
actual password salt for Debian stored?

Regards,
/Lars

From what i see, the password salt is different for each password... so
i guess its different each time a password is generated. It makes sense
since its saved along the password itself, so its more secure than
having a single salt, at no extra cost

greets!
aL

Yes, I understand that the salt is different and random for each
password, but how is it stored so that the hash can be used for
authentication? Sorry for the dumb questions.

Regards,
/Lars

Oh, i misunderstand your question.

Well, as i understand it it, the password has 3 parts, differenced with a $.
$ the kind of hash $ salt $ hash


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/

On Fri, 08 Jun 2012 12:05:56 +0300, Lars Noodén wrote:

On 6/8/12 12:02 PM, Alberto Fuentes wrote:

On 06/08/2012 10:57 AM, Lars Noodén wrote:

The hashed password + salt is stored in /etc/shadow. Where is the
actual password salt for Debian stored?

Yes, I understand that the salt is different and random for each
password, but how is it stored so that the hash can be used for
authentication? Sorry for the dumb questions.

Regards,
/Lars

The salt is stored in the password entry in the shadow file along with
the result of hash(salt+actualTextPassword).

The fact that the salt is "public" (quotes because /etc/shadow is
readable only by root in most systems) does not detract from its
usefulness. Its purpose is to multiply the necessary size of the
reverse-look-up table needed in a time-vs-space tradeoff brute-force
attack.

It's all explained in this wikipedia article.
http://en.wikipedia.org/wiki/Salt_(cryptography)

Rick


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/