[TriLUG] don't understand salt
Chris Short
chris.short at gmail.com
Sat Jun 9 08:48:15 EDT 2012
This might help you get a better idea:
http://queue.acm.org/detail.cfm?id=2254400
Thanks,
Chris Short
On Jun 9, 2012, at 8:37 AM, Joseph Mack NA3T <jmack at wm7d.net> wrote:
> Following the recent linkedin passwd database debacle, I did what I thought was deleting my linkedin account (I've had it for 6mo and haven't found any use for it). A friend then reminded me that nothing on the web is ever deleted and I realised that I'd only closed the account, only making it inaccessible to me.
>
> I understand that salting a passwd makes brute force cracking more difficult. However (AFAIK) to authenticate a user, the computer has to know the original salt. The salt would have to be kept securely. Where is it kept in the unix passwd/shadow system?
>
> http://en.wikipedia.org/wiki/Salt_%28cryptography%29
>
> says
>
> "
>
> In a typical usage for password authentication, the salt is stored along with the output of the one-way function, sometimes along with the number of iterations to be used in generating the output (for key stretching).
>
> "
>
> This would indicate that the salt is in shadow. So if the attacker gets shadow, they have the salt too.
>
> What don't I understand?
>
> Thanks Joe
>
> --
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) wm7d (dot) net - azimuthal equidistant map
> generator at http://www.wm7d.net/azproj.shtml
> Homepage http://www.austintek.com/ It's GNU/Linux!
> --
> This message was sent to: Chris Short <chris.short at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/chris.short%40gmail.com
> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
More information about the TriLUG
mailing list