Using a salt value | Unix Linux Forums | Programming

  Go Back    


Programming Post questions about C, C++, Java, SQL, and other programming languages here.

Using a salt value

Programming


Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 10-09-2012
AimyThomas AimyThomas is offline
Registered User
 
Join Date: Aug 2012
Last Activity: 22 February 2013, 12:38 AM EST
Posts: 27
Thanks: 0
Thanked 0 Times in 0 Posts
Using a salt value

Hi,

I've been reading up on using a salt value when creating a password to make it more secure, what I can't get my head round is how do you remember this salt value?

I'm guessing that when a user logs in to be able to compare the password entered with the one in the database you would need to again add the salt value to the entered password.

Am I missing something really obvious?

Thanks in Advance
Sponsored Links
    #2  
Old 10-09-2012
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 28 November 2014, 4:08 PM EST
Location: Saskatchewan
Posts: 19,944
Thanks: 848
Thanked 3,422 Times in 3,207 Posts
Quote:
Originally Posted by AimyThomas View Post
Hi,

I've been reading up on using a salt value when creating a password to make it more secure, what I can't get my head round is how do you remember this salt value?
You don't; you just test a lot of salts. That's why salts are small, to make that tolerable.

The point is to add a lot more computational work to anyone trying to brute-force a hash. They can't just compare a list of known hashes to a shadow file.
Sponsored Links
    #3  
Old 10-09-2012
JohnGraham JohnGraham is offline
Registered User
 
Join Date: Feb 2010
Last Activity: 9 May 2014, 6:02 PM EDT
Posts: 126
Thanks: 0
Thanked 31 Times in 29 Posts
At least for passwords made with crypt() (see 'man 3 crypt'), the salt is the first two characters of the generated hash - this makes duplicates look different, while allowing easy computation when entering the password.

Here's a test program I wrote a while ago demonstrating basic use of crypt(), but still find useful - if you run it you'll notice the first two characters of the output are the two-byte salt (compile with '-lcrypt'):


Code:
#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <string.h>

#include <sys/time.h>
#include <unistd.h>

char *random_salt()
{
    // Failure is fine (assume garbage on stack will do at a push).
    struct timeval tv;
    if (gettimeofday(&tv, NULL) != 0) {
        fprintf(stderr, "Warning: Could not gettimeofday: %m.\n");
        fprintf(stderr, "Just using garbage on stack as randomness.\n");
    }
    srand(tv.tv_sec + tv.tv_usec);

    const char *salt_chars =
        "abcdefghijklmnopqrstuvwxyz"
        "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
        "0123456789" "./";

    static char salt[3] = "\0\0\0";

    salt[0] = salt_chars[rand() % strlen(salt_chars)];
    salt[1] = salt_chars[rand() % strlen(salt_chars)];

    return salt;
}

int main(int argc, char *argv[])
{
    if (argc != 2 && argc != 3) {
        fprintf(stderr, "Usage: crypt PASSPHRASE [SALT]\n");
        fprintf(stderr, "(If no SALT is given, a random one is chosen)\n");
        return 1;
    }

    if (argc == 3 && strlen(argv[2]) != 2) {
        fprintf(stderr, "Error: salt must be 2 bytes long\n");
        return 1;
    }

    char *salt = (argc == 3) ? argv[2] : random_salt();

    char *pass = crypt(argv[1], salt);
    if (pass) {
        printf("%s\n", pass);
        return 0;
    } else {
        fprintf(stderr, "Error: %m\n");
        return 1;
    }
}

Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Question about openSSL and Salt code_monkey OS X (Apple) 0 01-12-2011 12:22 PM
4-Byte Salt (in hex) to Integer cbreiny Programming 1 10-28-2010 03:55 AM
Increase salt size cryogen UNIX for Dummies Questions & Answers 1 05-25-2009 05:51 AM



All times are GMT -4. The time now is 07:57 PM.