[TCLUG] Command-line tool to compute MD5 has from text string?

Tue Oct 26 09:52:06 CDT 2004

> Note that "ab" are the first two characters of the putatively encrypted 
> output.  It seems that your perl command always includes the first two 
> letters of the input as the first two letters of the output:

That's the "salt" - it's used to add a bit more randomness into the 
resulting password (okay, randomness isn't the right word).  When you type 
your password to login, the system reads the hash for your username from 
the password file, and extracts the first 2 characters.  Then it crypt()'s 
the password you entered and the salt from the password file, to see if it 
gets the same hash that's in the password file.

Without a salt, if two users both used the same password, they would have 
identical hashes (so users that can read the password file could easily 
find anyone else using the same password).  There was a time, the dark 
ages, where systems didn't have shadow, or some other method to hide 
hashes from the users.

Also without the salt, it would be considerably easier to pre-generate 
hashes for common passwords (like dictionary words), and then look for 
those hashes in the passwd file.  If the box is compromised, the hashes 
are viewable.  There also needs to be some protection from root, in case 
he gets bored and wants to find out who's system passwords also match 
their paypal accounts.

Consider, without hashes, I could pre-crypt the 235,882 dictionary words 
from /usr/share/dict/words, and it would take 235,882 crypt operations, 
and only about 30M to store the results.

With the salt, you would have 3.7M crypt operations, and it would take 
483M to store (I think - check my math, I did this quickly...)

But nowadays either option is trivial on modern machines.  But if someone 
who's stronger in math (and doesn't have fifty frickin' people talking 
loudly right next to him!) feels like posting the numbers necessary for 
pre-generating all possible 8-character passwords, with and without salts, 
the numbers get pretty astronomical.  I believe I read something on a 
security list a few years ago discussing whether it was feasible with 
current hardware to generate and store every hash for all passwords up to 
16 characters, with all salts.  Interesting reading, I unfortunately can't 
remember where I read it or what the findings were.

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list