• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 568
  • Last Modified:

Salt to encrypt password

In a unix server, what salt is used to encrypt the password.
I know the perl script is:
crypt($password, $pwdsalt);
but How do I get $pwdsalt?  
0
Lee5
Asked:
Lee5
  • 3
1 Solution
 
dhmCommented:
$pwsalt is two characters that are mixed into the encryption process to cause a password to encrypt to different strings.  For example:

crypt( "Hello", "AB" ) => "AB/uOsC7P93EI"
crypt( "Hello", "XX" ) => "XXugOcRkxskLA"

As you can see, the salt characters appear as the first two characters of the result of crypt(); the rest of the results are completely different, even though the passwords were the same.  The reason Unix uses salt is to make a dictionary password attack more difficult: without salt, somebody could just run crypt() on a bunch of words and store the plain/crypted versions.  Then, when they wanted to crack a password, they could just look up the encrypted string and get back the original password.  With salt, the attacker has to run crypt hundreds of times on each word (once for each possible salt) and store hundreds of possible encrypted passwords for each word in the dictionary.  This is becoming more feasible, but it's still harder than without salt.

As for what you should pass for $pwdsalt when you call crypt(), if you're trying to verify a password, then you have to pass the first two characters of the encrypted password you're verifying against.  If you're encrypting a new password, then pick two random characters.  In addition to alphanumerics, I think several punctuation characters are legal for use as salt, but I don't know exactly which ones.  When I want to encrypt a new password in perl, I do this:

$t = srand( time( ) + $$ );
$salt1 = chr( rand( ) * 26 + ord( 'A' ) );
$salt2 = chr( rand( ) * 26 + ord( 'A' ) );

print( crypt( $new_password, $salt1.$salt2 ), "\n" );

0
 
ozoCommented:
dhm is correct, and an upper case salt should be fine.
if you want to use all possible characters, you could do something like:

$salt=join'',('a'..'z','A'..'Z','0'..'9','.','/')[rand(64),rand(64)];
0
 
dhmCommented:
Ozo: that's a pretty cool Perlism.  I hope you don't mind if I add it to my crypted-password generating program!
0
 
dhmCommented:
Ozo: that's a pretty cool Perlism.  I hope you don't mind if I add it to my crypted-password generating program!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now