On Wed, Apr 06, 2011 at 10:40:58PM -0500, Boyd Stephen Smith Jr. wrote: > In <4d9d1b22.2010...@cox.net>, Ron Johnson wrote: > >On 04/06/2011 08:19 PM, Aaron Toponce wrote: > >> First, if you don't have the salt, but you do have the hash, then a > >> rainbow table attack is completely pointless. > > > >The OS must store the salt somewhere, in order to correctly authenticate > >the user when he logs in. But I've never heard of /etc/hashsalt so what > >am I misunderstanding? > > The value stored in /etc/shadow is both the salt + the encrypted > salt+password. This allows a process with read access to /etc/shadow to > easily read the shadow, encrypt the salt + provided password, and compare the > result to the encrypted salt+password. The salt is randomly generated each > time the password is set, and it (usually) different for each entry in > /etc/shadow.
So is the salt a fixed number of characters? Otherwise, how would a process know which portion of the string is the salt? Regards, -- Joel Roth -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110407043738.GA23159@sprite
