Date: Sat, 29 Dec 2001 23:27:25 -0600 From: "Jacques A. Vidrine" <n@nectar.cc> To: Allen Landsidel <all@biosys.net> Cc: Rik <freebsd-security@rikrose.net>, Ryan Thompson <ryan@sasknow.com>, freebsd-security@FreeBSD.ORG Subject: Re: MD5 password salt calculation Message-ID: <20011230052725.GB80312@madman.nectar.cc> In-Reply-To: <5.1.0.14.0.20011230000743.00a91a80@rfnj.org> References: <20011229133456.J99302-100000@catalyst.sasknow.net> <20011229133456.J99302-100000@catalyst.sasknow.net> <5.1.0.14.0.20011230000743.00a91a80@rfnj.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 30, 2001 at 12:16:33AM -0500, Allen Landsidel wrote: > At 04:30 AM 12/30/2001 +0000, Rik wrote: > >Salt is just some randomness thrown in so that you can't just make a > >standard dictionary to compare hashed passwords with. All you need to do > >is make the relevant number of random chars. Personally, I just run the > >current time as a string (from strftime(3)) through the hash, and take > >the first couple of chars as an index into an array of allowable chars > >(modulo the size of the array, obviously). > > That's a completely stupid way of generating a salt. ;) > > Actually, it's probably about as bad as you can get without abandoning the > salt completely. You are confusing salt with something that needs to be truly random. Password salts do not, and in fact in many systems the salt is a well-known transformation of the account name (e.g. see Kerberos). [snip] > Brute forcing this salt would be trivially easy just because of > that. You don't ``brute force'' salt. You have the salt. It is part of the crypted password. > Second, If you plan to use this in any sort of daemon, system utility, or > something that is otherwise logged, then there is no need to guess the salt > at all : The current date/time will be at worst in the log file for the > program, and at best in the last-accessed time for whatever the output file > is. There's no need to guess at all, because you already have it if you have the crypted password [1]. > At this point you're probably thinking "ok wiseguy, what's a good way to > generate the salt" and that goes to the very root of the problem; There > really are no "good" ways (outside of some sort of biometric) to generate > random numbers in a deterministic, finite-state machine like a PC. No, almost any method will do for salt, as long as the salt is mostly different for every username/password combination. The purpose of the salt is to prevent an attacker from precomputing the ciphertext version of a dictionary, and then just comparing the ciphertext for each word with the crypted password. For more information, see Schneier, ``Applied Cryptography 2nd Edition'', pp 52-53 or similar. Cheers, -- Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011230052725.GB80312>