Where is the SALT attached to the password, AFTER or BEFORE the password?

When you are using GNU/Linux, the password are (mainly) encripted in MD5 and SHA
The operative system attaches a SALT to this password before encrypting it to avoid dictionary attacs.

My question is, where does the SO attaches the SALT, before, or after the password?

For example, is my password is: peter2011 before encripting it, it does:

saltpeter2011 or peter2011salt ?

Thanks in advance.


I dont know if you missunderstood my question, but I'm not asking how does Linux stores his passwords, I'm asking how does encripts it, i mean:

encrypt_in_md5(saltpeter2011) or encript_in_md5(peter2011salt)

I know that on the /etc/shadow file are stored as $salt&encripted_password

Thanks in advance!


It's a little more complex than that, involving multiple rounds of appending and hashing. Best to just use crypt(3) and let the system handle it.


It's not as simple as you might think.

First of all the way salts are used depends on the hashing function used. You mention MD5, so we'll take this case.

You have to look into glibc/crypt/md5-crypt.c file for the answer, in glibc sources.

There you will find, that first it does something like md5(KEY$1$SALT), then does md5(KEYSALTKEY) and then mixes them together in a weird way. Then it does some more weird iterations based on the key, the salt and the previous results, and finally after some more mixing of bytes you are done.


If you're implementing the system, it is completely up to you. Does not matter at all.

Most probably unix does $1$SALTpeter2011 .

链接地址: http://www.djcxy.com/p/52854.html

上一篇: 超链接没有前导和尾随空格

下一篇: SALT在密码后附加或在密码之前的位置?