Solved

Salt to encrypt password

Posted on 1998-10-14
4
499 Views
Last Modified: 2013-12-26
In a unix server, what salt is used to encrypt the password.
I know the perl script is:
crypt($password, $pwdsalt);
but How do I get $pwdsalt?  
0
Comment
Question by:Lee5
  • 3
4 Comments
 
LVL 3

Accepted Solution

by:
dhm earned 50 total points
Comment Utility
$pwsalt is two characters that are mixed into the encryption process to cause a password to encrypt to different strings.  For example:

crypt( "Hello", "AB" ) => "AB/uOsC7P93EI"
crypt( "Hello", "XX" ) => "XXugOcRkxskLA"

As you can see, the salt characters appear as the first two characters of the result of crypt(); the rest of the results are completely different, even though the passwords were the same.  The reason Unix uses salt is to make a dictionary password attack more difficult: without salt, somebody could just run crypt() on a bunch of words and store the plain/crypted versions.  Then, when they wanted to crack a password, they could just look up the encrypted string and get back the original password.  With salt, the attacker has to run crypt hundreds of times on each word (once for each possible salt) and store hundreds of possible encrypted passwords for each word in the dictionary.  This is becoming more feasible, but it's still harder than without salt.

As for what you should pass for $pwdsalt when you call crypt(), if you're trying to verify a password, then you have to pass the first two characters of the encrypted password you're verifying against.  If you're encrypting a new password, then pick two random characters.  In addition to alphanumerics, I think several punctuation characters are legal for use as salt, but I don't know exactly which ones.  When I want to encrypt a new password in perl, I do this:

$t = srand( time( ) + $$ );
$salt1 = chr( rand( ) * 26 + ord( 'A' ) );
$salt2 = chr( rand( ) * 26 + ord( 'A' ) );

print( crypt( $new_password, $salt1.$salt2 ), "\n" );

0
 
LVL 84

Expert Comment

by:ozo
Comment Utility
dhm is correct, and an upper case salt should be fine.
if you want to use all possible characters, you could do something like:

$salt=join'',('a'..'z','A'..'Z','0'..'9','.','/')[rand(64),rand(64)];
0
 
LVL 3

Expert Comment

by:dhm
Comment Utility
Ozo: that's a pretty cool Perlism.  I hope you don't mind if I add it to my crypted-password generating program!
0
 
LVL 3

Expert Comment

by:dhm
Comment Utility
Ozo: that's a pretty cool Perlism.  I hope you don't mind if I add it to my crypted-password generating program!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Introduction: Load and Save to file, Document-View interaction inside the SDI. Continuing from the second article about sudoku.   Open the project in visual studio. From the class view select CSudokuDoc and double click to open the header …
Introduction: Database storage, where is the exe actually on the disc? Playing a game selected randomly (how to generate random numbers).  Error trapping with try..catch to help the code run even if something goes wrong. Continuing from the seve…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now