[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] booting password crackers...
- Subject: Re: [cobalt-security] booting password crackers...
- From: Mike Vanecek <nospam99@xxxxxxxxxxxx>
- Date: Tue, 30 May 2000 19:20:24 -0500
- Organization: anonymous
Thank you -- very useful information indeed. I have not tested it, but I
assume that htpasswd and the perl crypt automatically and randomly generates
the salt before doing the encryption and storing.
On 29 May 2000 02:32:17 +0200, jk@xxxxxxxxxxxx (Jens Kristian Søgaard) wrote:
:>Mike Vanecek <nospam99@xxxxxxxxxxxx> writes:
:>
:>> Why is it that when I use this url to generate passwords for userid root and
:>> password "hahaha really think weare sooo damn stupid" that I get different
:>> results each time?:
:>
:>> root:upWhLNhcx8XnA
:>> root:fdEFJIU.vqXV6
:>
:>> Obviously, the encryption algorithm has some randomness to it??
:>
:>What you see is the effect of the so called "salt" that was introduced
:>to the Unix password protection scheme by Morris (you remember, his
:>son were the guy that broke the internet with the internet worm).
:>
:>To take the first example you give:
:>
:> root:upWhLNhcx8XnA
:>
:>Here
:>
:> root
:>
:>is the username
:>
:> :
:>
:>seperates parts in a passwd/shadow file
:>
:> up
:>
:>is the salt
:>
:> WhLNhcx8XnA
:>
:>is the encrypted password
:>
:>
:>When you make a new password, you take two random chars (called a
:>"salt"). These two chars are prepended to the password and encrypted
:>along with the rest. But the salt is also stored in _cleartext_ as the
:>two first bytes of the password field in passwd/shadow files.
:>
:>This means that if you want to check a password, you first add the two
:>salt bytes, encrypt - and compare to what's stored in the password
:>file.
:>
:>The advantage of the salt scheme is, that an attacker cannot create a
:>large "dictonary" or "database" of encrypted passwords. Like:
:>
:> secret = eI2Ls9
:> two = l8YeHs
:>
:>Adding these two saltbytes adds a lot of new possibilities, which
:>means that he would have to store a dictonary like this:
:>
:> 01secret = 01eI2Ls9
:> 02secret = 02aldAJs
:> 03secret = 03sdJKsd
:> etc.
:>
:>This makes it bad idea to try making a complete "reference" to
:>passwords, as the diskspace needed is enormous.