/etc/passwd

Phil Howard phil-lfs-security at ipal.net
Thu Jan 17 14:27:56 PST 2002


On Thu, Jan 17, 2002 at 06:02:26PM +0100, Matthias Benkmann wrote:

| On 17 Jan 2002, at 10:47, Bruce Dubbs wrote:
| 
| > password?  If you were cracking passwords a lot, you could just generate
| > all combinations up to a certain length on a large hard disk and do a
| > binary search on the digest and get any of those PWs in less than a second.
| 
| To prevent this, a so-called salt is used. You do not only encrypt the 
| password, you first concatenate it with a (pseudo-)random salt string that 
| is saved together with the encrypted string. In order for the above scheme 
| to work you will have to generate encryptions of all passwords combined 
| with all salt strings. That increases the number of data extremely. The 
| amount of storage needed is (still) too expensive to be used exclusively 
| for cracking, especially since all sites worth cracking use shadow 
| passwords so that you don't get the password file.

At a place I used to work, I once found two staff members had the same
password.  They had that 1/64 chance of using the same salt, and also
happened to be only 2 positions apart in the /etc/passwd file (this was
before shadow was used back in the 1980's).  Sometimes the rare things
do happen.  If we use a stronger hash like MD5 and a larger salt like
32 bits, these will be even more rare.

-- 
-----------------------------------------------------------------
| Phil Howard - KA9WGN |   Dallas   | http://linuxhomepage.com/ |
| phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/     |
-----------------------------------------------------------------
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list