how long should a password be?
Peter Pentchev
roam at ringlet.net
Sat May 10 10:37:19 CEST 2008
On Tue, May 06, 2008 at 04:52:31AM -0400, Faramir wrote:
[snip Sven Radde's explanations about the salt]
> Excellent explanation, thanks. But I still miss the point about the
> salt number doesn't need to be kept secret... I mean: if the salt value
> is not known to the program that must validate the password, then it
> can't validate it (since the hash produced by the password will never
> match the "salted" stored hash). That means the salt used must be stored
> somewhere... and if I get the stored hash, and the salt, I would just
> need to generate the rainbow tables adding the salt value I got... Wait,
> I think I am beginning to get the point... since the salt is random, I
> figure each user will have his own salt value... and that would mean I
> would have to generate 1 rainbow table for each user... but then, I
> would rather try to crack an admin password, and then reset the
> passwords of the users...
It seems that you are missing another important point about the salt -
it is generated randomly each and every time something needs to be
encrypted :) There is no such thing as "the salt value for this user";
every time this user wants to hash a password, the system generates
a random salt value and hashes this particular password, just this once,
with this value.
Hope that helps :)
G'luck,
Peter
--
Peter Pentchev roam at ringlet.net roam at cnsys.bg roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
Nostalgia ain't what it used to be.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: </pipermail/attachments/20080510/d15252b3/attachment.pgp>
More information about the Gnupg-users
mailing list