Salt to encrypt password

Posted on 1998-10-14
Last Modified: 2013-12-26
In a unix server, what salt is used to encrypt the password.
I know the perl script is:
crypt($password, $pwdsalt);
but How do I get $pwdsalt?  
Question by:Lee5
  • 3

Accepted Solution

dhm earned 50 total points
ID: 1293706
$pwsalt is two characters that are mixed into the encryption process to cause a password to encrypt to different strings.  For example:

crypt( "Hello", "AB" ) => "AB/uOsC7P93EI"
crypt( "Hello", "XX" ) => "XXugOcRkxskLA"

As you can see, the salt characters appear as the first two characters of the result of crypt(); the rest of the results are completely different, even though the passwords were the same.  The reason Unix uses salt is to make a dictionary password attack more difficult: without salt, somebody could just run crypt() on a bunch of words and store the plain/crypted versions.  Then, when they wanted to crack a password, they could just look up the encrypted string and get back the original password.  With salt, the attacker has to run crypt hundreds of times on each word (once for each possible salt) and store hundreds of possible encrypted passwords for each word in the dictionary.  This is becoming more feasible, but it's still harder than without salt.

As for what you should pass for $pwdsalt when you call crypt(), if you're trying to verify a password, then you have to pass the first two characters of the encrypted password you're verifying against.  If you're encrypting a new password, then pick two random characters.  In addition to alphanumerics, I think several punctuation characters are legal for use as salt, but I don't know exactly which ones.  When I want to encrypt a new password in perl, I do this:

$t = srand( time( ) + $$ );
$salt1 = chr( rand( ) * 26 + ord( 'A' ) );
$salt2 = chr( rand( ) * 26 + ord( 'A' ) );

print( crypt( $new_password, $salt1.$salt2 ), "\n" );

LVL 84

Expert Comment

ID: 1293707
dhm is correct, and an upper case salt should be fine.
if you want to use all possible characters, you could do something like:


Expert Comment

ID: 1293708
Ozo: that's a pretty cool Perlism.  I hope you don't mind if I add it to my crypted-password generating program!

Expert Comment

ID: 1293709
Ozo: that's a pretty cool Perlism.  I hope you don't mind if I add it to my crypted-password generating program!

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Expand data scrubbing tool 13 32
Detect CR LF to each line 12 160
firstChar challenge 13 115
Sed question 2 85
Introduction: Dialogs (1) modal - maintaining the database. Continuing from the ninth article about sudoku.   You might have heard of modal and modeless dialogs.  Here with this Sudoku application will we use one of each type: a modal dialog …
Introduction: Dialogs (2) modeless dialog and a worker thread.  Handling data shared between threads.  Recursive functions. Continuing from the tenth article about sudoku.   Last article we worked with a modal dialog to help maintain informat…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question