?
Solved

Salt to encrypt password

Posted on 1998-10-14
4
Medium Priority
?
540 Views
Last Modified: 2013-12-26
In a unix server, what salt is used to encrypt the password.
I know the perl script is:
crypt($password, $pwdsalt);
but How do I get $pwdsalt?  
0
Comment
Question by:Lee5
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 3

Accepted Solution

by:
dhm earned 200 total points
ID: 1293706
$pwsalt is two characters that are mixed into the encryption process to cause a password to encrypt to different strings.  For example:

crypt( "Hello", "AB" ) => "AB/uOsC7P93EI"
crypt( "Hello", "XX" ) => "XXugOcRkxskLA"

As you can see, the salt characters appear as the first two characters of the result of crypt(); the rest of the results are completely different, even though the passwords were the same.  The reason Unix uses salt is to make a dictionary password attack more difficult: without salt, somebody could just run crypt() on a bunch of words and store the plain/crypted versions.  Then, when they wanted to crack a password, they could just look up the encrypted string and get back the original password.  With salt, the attacker has to run crypt hundreds of times on each word (once for each possible salt) and store hundreds of possible encrypted passwords for each word in the dictionary.  This is becoming more feasible, but it's still harder than without salt.

As for what you should pass for $pwdsalt when you call crypt(), if you're trying to verify a password, then you have to pass the first two characters of the encrypted password you're verifying against.  If you're encrypting a new password, then pick two random characters.  In addition to alphanumerics, I think several punctuation characters are legal for use as salt, but I don't know exactly which ones.  When I want to encrypt a new password in perl, I do this:

$t = srand( time( ) + $$ );
$salt1 = chr( rand( ) * 26 + ord( 'A' ) );
$salt2 = chr( rand( ) * 26 + ord( 'A' ) );

print( crypt( $new_password, $salt1.$salt2 ), "\n" );

0
 
LVL 84

Expert Comment

by:ozo
ID: 1293707
dhm is correct, and an upper case salt should be fine.
if you want to use all possible characters, you could do something like:

$salt=join'',('a'..'z','A'..'Z','0'..'9','.','/')[rand(64),rand(64)];
0
 
LVL 3

Expert Comment

by:dhm
ID: 1293708
Ozo: that's a pretty cool Perlism.  I hope you don't mind if I add it to my crypted-password generating program!
0
 
LVL 3

Expert Comment

by:dhm
ID: 1293709
Ozo: that's a pretty cool Perlism.  I hope you don't mind if I add it to my crypted-password generating program!
0

Featured Post

Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Dynamic window placements and drawing on a form, simple usage of windows registry as a storage place for information. Continuing from the first article about sudoku.  There we have designed the application and put a lot of user int…
Introduction: Database storage, where is the exe actually on the disc? Playing a game selected randomly (how to generate random numbers).  Error trapping with try..catch to help the code run even if something goes wrong. Continuing from the seve…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question