oops, my bad (was: choice of salt) Oct 31 2007 03:08PM
SecFocus subscriber Dave Aronson (secfocus2dave davearonson com) (1 replies)
I think I see where I misgrokked the original situation. I *initially* thought that what was being described was, in pseudocode:

storedPwd = crypt (givenPwd, firstTwoChars (crypt (givenPwd, "")));

IOW, a decidedly non-random salt, derived from the password, thus next to worthless. But, upon following the links given (d'oh!), it seems to be:

salt = makeTwoCharsFrom (firstTwelveBits (random32BitValue()));
storedPwd = salt + crypt (givenPwd, salt);

IOW, httpasswd *does* indeed use a random salt, just not a separate field for it, instead prepending it to the password, as two chars.

Is that correct?


Dave Aronson
"Specialization is for insects." -Heinlein

[ reply ]
Re: oops, my bad (was: choice of salt) Oct 31 2007 03:18PM
Jamie Riden (jamie riden gmail com)


Privacy Statement
Copyright 2010, SecurityFocus