/etc/passwd

Bruce Dubbs bdubbs at swbell.net
Thu Jan 17 09:27:10 PST 2002


Matthias Benkmann wrote:
> On 17 Jan 2002, at 10:47, Bruce Dubbs wrote:
> 
> 
>>password?  If you were cracking passwords a lot, you could just generate
>>all combinations up to a certain length on a large hard disk and do a
>>binary search on the digest and get any of those PWs in less than a second.
>>
> 
> To prevent this, a so-called salt is used. You do not only encrypt the 
> password, you first concatenate it with a (pseudo-)random salt string that 
> is saved together with the encrypted string. In order for the above scheme 
> to work you will have to generate encryptions of all passwords combined 
> with all salt strings. That increases the number of data extremely. The 
> amount of storage needed is (still) too expensive to be used exclusively 
> for cracking, especially since all sites worth cracking use shadow 
> passwords so that you don't get the password file.

This is true over the net with such programs as ssh in negotiating 
session passwords, but is it also true with a console logon?  I don't 
see how the system would know what salt to apply--it would have to be 
saved someplace.
   -- Bruce

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list