[TriLUG] don't understand salt
Matt Flyer
matt at noway2.thruhere.net
Sat Jun 9 08:53:32 EDT 2012
On Sat, 2012-06-09 at 05:37 -0700, Joseph Mack NA3T wrote:
> I understand that salting a passwd makes brute force
> cracking more difficult. However (AFAIK) to authenticate a
> user, the computer has to know the original salt. The salt
> would have to be kept securely. Where is it kept in the unix
> passwd/shadow system?
<snip>
> This would indicate that the salt is in shadow. So if the
> attacker gets shadow, they have the salt too.
>
> What don't I understand?
I am far from expert on this subject, but it seems that a major goal of
these types of hacks is to generate rainbow tables that map passwords to
hashes, to facilitate reverse lookups for password cracking as brute
force is still time consuming. By using a salt, you have rendered a
rainbow table seeded with anything other than that salt useless. So if
they have your table of hashes, even knowing the salt, they would still
need to churn through combinations by brute force to try to reverse the
password .
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20120609/9a0f1c0c/attachment.pgp>
More information about the TriLUG
mailing list