From owner-freebsd-security Sat Dec 29 20:30:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 2485337B405 for ; Sat, 29 Dec 2001 20:30:26 -0800 (PST) Received: (from rik@localhost) by pkl.net (8.9.3/8.9.3) id EAA10043; Sun, 30 Dec 2001 04:30:20 GMT Date: Sun, 30 Dec 2001 04:30:20 +0000 From: Rik To: Ryan Thompson Cc: freebsd-security@FreeBSD.ORG Subject: Re: MD5 password salt calculation Message-ID: <20011230043020.A9927@spoon.pkl.net> References: <20011229133456.J99302-100000@catalyst.sasknow.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011229133456.J99302-100000@catalyst.sasknow.net>; from ryan@sasknow.com on Sat, Dec 29, 2001 at 01:49:46PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Dec 29, 2001 at 01:49:46PM -0600, Ryan Thompson wrote: > So, before I go hacking, hopefully someone can give me a clue to where > I can look to calculate a new MD5 salt. Salt is just some randomness thrown in so that you can't just make a standard dictionary to compare hashed passwords with. All you need to do is make the relevant number of random chars. Personally, I just run the current time as a string (from strftime(3)) through the hash, and take the first couple of chars as an index into an array of allowable chars (modulo the size of the array, obviously). I'm sure someone on this list will tell us if that's a completely stupid way of generating salt... -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message