|
|||||||
| Forums | Search Forums | Register | Forum Rules | Man Pages | Albums | FAQ | Members | Calendar | Search | Today's Posts | Mark Forums Read |
| Programming Post questions about C, C++, Java, SQL, and other programming languages here. |
|
|
|
Thread Tools | Search this Thread | Display Modes |
|
#1
10-09-2012
|
|||
|
|||
|
Using a salt value
Hi,
I've been reading up on using a salt value when creating a password to make it more secure, what I can't get my head round is how do you remember this salt value? I'm guessing that when a user logs in to be able to compare the password entered with the one in the database you would need to again add the salt value to the entered password. Am I missing something really obvious? Thanks in Advance |
| Sponsored Links | ||
|
|
#2
10-09-2012
|
|||
|
|||
|
Quote:
The point is to add a lot more computational work to anyone trying to brute-force a hash. They can't just compare a list of known hashes to a shadow file. |
| Sponsored Links | ||
|
|
#3
10-09-2012
|
|||
|
|||
|
At least for passwords made with crypt() (see 'man 3 crypt'), the salt is the first two characters of the generated hash - this makes duplicates look different, while allowing easy computation when entering the password. Here's a test program I wrote a while ago demonstrating basic use of crypt(), but still find useful - if you run it you'll notice the first two characters of the output are the two-byte salt (compile with '-lcrypt'): Code:
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <string.h>
#include <sys/time.h>
#include <unistd.h>
char *random_salt()
{
// Failure is fine (assume garbage on stack will do at a push).
struct timeval tv;
if (gettimeofday(&tv, NULL) != 0) {
fprintf(stderr, "Warning: Could not gettimeofday: %m.\n");
fprintf(stderr, "Just using garbage on stack as randomness.\n");
}
srand(tv.tv_sec + tv.tv_usec);
const char *salt_chars =
"abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"0123456789" "./";
static char salt[3] = "\0\0\0";
salt[0] = salt_chars[rand() % strlen(salt_chars)];
salt[1] = salt_chars[rand() % strlen(salt_chars)];
return salt;
}
int main(int argc, char *argv[])
{
if (argc != 2 && argc != 3) {
fprintf(stderr, "Usage: crypt PASSPHRASE [SALT]\n");
fprintf(stderr, "(If no SALT is given, a random one is chosen)\n");
return 1;
}
if (argc == 3 && strlen(argv[2]) != 2) {
fprintf(stderr, "Error: salt must be 2 bytes long\n");
return 1;
}
char *salt = (argc == 3) ? argv[2] : random_salt();
char *pass = crypt(argv[1], salt);
if (pass) {
printf("%s\n", pass);
return 0;
} else {
fprintf(stderr, "Error: %m\n");
return 1;
}
} |
| Sponsored Links | ||
|
|
| Thread Tools | Search this Thread |
| Display Modes | |
More UNIX and Linux Forum Topics You Might Find Helpful
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Question about openSSL and Salt | code_monkey | OS X (Apple) | 0 | 01-12-2011 11:22 AM |
| 4-Byte Salt (in hex) to Integer | cbreiny | Programming | 1 | 10-28-2010 02:55 AM |
| Increase salt size | cryogen | UNIX for Dummies Questions & Answers | 1 | 05-25-2009 04:51 AM |
|
|
Linear Mode
