Phil Howard phil-lfs-security at ipal.net
Thu Jan 17 14:32:37 PST 2002

On Thu, Jan 17, 2002 at 11:27:10AM -0600, Bruce Dubbs wrote:

| This is true over the net with such programs as ssh in negotiating 
| session passwords, but is it also true with a console logon?  I don't 
| see how the system would know what salt to apply--it would have to be 
| saved someplace.
|   -- Bruce

The salt is included with the encrypted password.  So obviously the
cracker can see it if they can get the passwords.  But that only
tells them which of many collections of pre-encrypted common passwords
to search.  They can speed up the search a bit, but would have to have
all possible salt values pre-encrypted to use that technique.  The
larger the salt, the larger the space.  If it was me, I'd use a
64 bit salt and 160 bit SHA1.  I'll settle for 32 bit salt and MD5.

| Phil Howard - KA9WGN |   Dallas   | http://linuxhomepage.com/ |
| phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/     |
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message

More information about the lfs-security mailing list