Using a salt value


 
Thread Tools Search this Thread
Top Forums Programming Using a salt value
# 1  
Old 10-09-2012
Using a salt value

Hi,

I've been reading up on using a salt value when creating a password to make it more secure, what I can't get my head round is how do you remember this salt value?

I'm guessing that when a user logs in to be able to compare the password entered with the one in the database you would need to again add the salt value to the entered password.

Am I missing something really obvious?

Thanks in Advance
# 2  
Old 10-09-2012
Quote:
Originally Posted by AimyThomas
Hi,

I've been reading up on using a salt value when creating a password to make it more secure, what I can't get my head round is how do you remember this salt value?
You don't; you just test a lot of salts. That's why salts are small, to make that tolerable.

The point is to add a lot more computational work to anyone trying to brute-force a hash. They can't just compare a list of known hashes to a shadow file.
# 3  
Old 10-09-2012
At least for passwords made with crypt() (see 'man 3 crypt'), the salt is the first two characters of the generated hash - this makes duplicates look different, while allowing easy computation when entering the password.

Here's a test program I wrote a while ago demonstrating basic use of crypt(), but still find useful - if you run it you'll notice the first two characters of the output are the two-byte salt (compile with '-lcrypt'):

Code:
#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <string.h>

#include <sys/time.h>
#include <unistd.h>

char *random_salt()
{
    // Failure is fine (assume garbage on stack will do at a push).
    struct timeval tv;
    if (gettimeofday(&tv, NULL) != 0) {
        fprintf(stderr, "Warning: Could not gettimeofday: %m.\n");
        fprintf(stderr, "Just using garbage on stack as randomness.\n");
    }
    srand(tv.tv_sec + tv.tv_usec);

    const char *salt_chars =
        "abcdefghijklmnopqrstuvwxyz"
        "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
        "0123456789" "./";

    static char salt[3] = "\0\0\0";

    salt[0] = salt_chars[rand() % strlen(salt_chars)];
    salt[1] = salt_chars[rand() % strlen(salt_chars)];

    return salt;
}

int main(int argc, char *argv[])
{
    if (argc != 2 && argc != 3) {
        fprintf(stderr, "Usage: crypt PASSPHRASE [SALT]\n");
        fprintf(stderr, "(If no SALT is given, a random one is chosen)\n");
        return 1;
    }

    if (argc == 3 && strlen(argv[2]) != 2) {
        fprintf(stderr, "Error: salt must be 2 bytes long\n");
        return 1;
    }

    char *salt = (argc == 3) ? argv[2] : random_salt();

    char *pass = crypt(argv[1], salt);
    if (pass) {
        printf("%s\n", pass);
        return 0;
    } else {
        fprintf(stderr, "Error: %m\n");
        return 1;
    }
}

Login or Register to Ask a Question

Previous Thread | Next Thread

5 More Discussions You Might Find Interesting

1. Cybersecurity

Wordpress and Joomla hash and salt

I would like to know where the hash and salt are in Wordpress and Joomla hashes? For example: In this wordpress hash P$BTBCNLQpY5CWWQ6XC4WJ6IPJQ877s3 where the salt is? In this Joomla hash $2y$10$io60pn4npWCRWwg4308pB.4rLmfz.vFwzxzYmX6W48Ff7wTi7ZEMO where the salt is? For example (source... (1 Reply)
Discussion started by: freeroute
1 Replies

2. OS X (Apple)

Question about openSSL and Salt

Hey all, i have an application i am developing and i would like to use the OpenSSL des3 encryption, the only problem i am having is when i need to input the second key verification. Heres what i have so far openssl des3 -salt -in /tmp -out pwenc.z | echo 1111 usually for password verification... (0 Replies)
Discussion started by: code_monkey
0 Replies

3. Programming

4-Byte Salt (in hex) to Integer

If i have a salt that looks like this 'CFDB024F' (in hex) would the integer value be '3487236687' ? Is that correct? (1 Reply)
Discussion started by: cbreiny
1 Replies

4. UNIX for Dummies Questions & Answers

Increase salt size

Unix protect its password by using salt It that mean larger the salt size the more secure? if the salt size increase greatly, will the password still able to be cracked? thank you for helping (1 Reply)
Discussion started by: cryogen
1 Replies

5. UNIX for Dummies Questions & Answers

What is "salt character" and what does it do?

Hi, lads. Good day. I have one question to ask. I read on the Internet, for the SUSE system, the password is encrypted into 13 characters, and the first 2 characters are called salt characters? Is there any special meaning for salt? Why we need these salt characters? And, I have a look at... (1 Reply)
Discussion started by: yjck71
1 Replies
Login or Register to Ask a Question