From owner-freebsd-security Sat Dec 29 21: 0:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from catalyst.sasknow.net (catalyst.sasknow.net [207.195.92.130]) by hub.freebsd.org (Postfix) with ESMTP id D6ED537B417 for ; Sat, 29 Dec 2001 21:00:17 -0800 (PST) Received: from localhost (ryan@localhost) by catalyst.sasknow.net (8.11.6/8.11.6) with ESMTP id fBU50CO47502; Sat, 29 Dec 2001 23:00:12 -0600 (CST) (envelope-from ryan@sasknow.com) X-Authentication-Warning: catalyst.sasknow.net: ryan owned process doing -bs Date: Sat, 29 Dec 2001 23:00:12 -0600 (CST) From: Ryan Thompson X-X-Sender: To: Rik Cc: Subject: Re: MD5 password salt calculation In-Reply-To: <20011230043020.A9927@spoon.pkl.net> Message-ID: <20011229224936.E46948-100000@catalyst.sasknow.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Rik wrote to Ryan Thompson: Hi Rik, > Salt is just some randomness thrown in so that you can't just make > a standard dictionary to compare hashed passwords with. All you > need to do is make the relevant number of random chars. Right.. I gather it's still the convention to use $1$ to differentiate between DES/MD5, in the case where both password formats are being imported. Is $1$ pretty much caught on everywhere? I've seen it in OpenBSD and NetBSD, probably even Linux, but it's been awhile since I looked. > Personally, I just run the current time as a string (from > strftime(3)) through the hash, and take the first couple of chars > as an index into an array of allowable chars (modulo the size of > the array, obviously). > > I'm sure someone on this list will tell us if that's a completely > stupid way of generating salt... :-) Well, it doesn't sound too unreasonable...(though using integer time would be faster by a mult. constant if your process is CPU bound) the approaches that I've seen use some kind of random data (like current sec+usec) passed through a char array... so I suppose that's essentially the same thing. - Ryan -- Ryan Thompson Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message