In most unixes OS, you have seen a shadow password file, and you should know that it contains a user password that's been hashed. But do you understand the salt+hash structure of the password ? and why do we salt our passwords to begin ?
Okay that looks cryptic right?
It's actually a very cool strategy, the 1st characters tells us it's a md5 hash ( $1$ ) and the next following of jumble up characters between the $ $ is the full salt , and next set of characters upto the : is the hash password provided by the user.
e.g wKJP1DyH + JeCAcEgSnVlD0k3.AMg.0 ( salt+hash )
Okay so why do we salt the password ? isn't salt bad for you ?
Will for unix security, it's actually the opposite. Salt is really good for you and a lot of it, is even better!
Okay this is a simple snapshot of me salting a user password with some random salt. The password that's being salted and hash == "mypassword" .
note: I'm using the common openssl utility for demostration. The salt is randomly generated by openssl.
Okay that was my password salted 4 times using a random salt each time during the hash function.
You notice how the hash are not the same? Also the salt has changed?
But guess what? that's the same password in all 4 executions.
Okay why do we salt things when it comes to passwords?
- A random salt makes a password less prune to a dictionary attack. Since the attacker would need to know the random salt that was used & for that password.
- A salt also ensure that no two users, who happens to use the same password, would generate the same unique hashes in our shadow/master.passwd file
- make any attacks that uses pre-hash-table ineffective ( e.g rainbow tables )
- It makes our password security, more enhanced
So if somebody where to use my password of "mypasswd", the hash would be different unless the random salt was the same ( very unlikely , depending on the size of the salt..... I will explain later on )
A good security consultant wil tell you; " that the salt should randomized, and as big as the size of data your protecting, or even larger". This way we ensure a complete random hash for any password combo.
For a live example, I've built the above into a script that dumps our salted password of "mypasswd" into a file.
Okay, let's execute that script & directed the output to a file named "formyblog". This file contains my salted password. We will next use some basic unix tools to see if we have any matches;
Okay cool, out of half million plus entries, not one duplicate. Even tho, we hash the same old password of "mypasswd".
Now for some fun. We repeat the same, but this time with a smaller value for the salt & still use the same boring password of; "mypasswd".
( here's the script modified)
Now here's the final tally, take note of the lesser number of entries and the duplicates that was found due to the smaller random salt size. We barely generated over 76K executions.
I hope this helps you to understand, "why we salt our passwords".
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( ^ ^ )=
o
/ \
No comments:
Post a Comment