On Mon, 13 Jan 2003, Keith Fernandez wrote: >What is the meaning of salt. I am confused. >Where can I get more info on "salt" In the beginning, your password lived in the password field of /etc/passwd, protected by crypt(3). /etc/passwd being world-readable, everyone could see your [hashed] password. The purpose of the password "salt" is to perturb the hashes to prevent dictionary attacks and obvious password duplication. It works by prepending (I think) the salt to the password before feeding it into the hashing routine. The result is that two users with the same password will not have the same password hash, because their [randomly selected] salt differs. The sneaky user who would pre-hash all the words in the dictionary has a much harder job because the number of calculations increases with the amount of salt. Current Redhat systems keep the password hash in /etc/shadow, in "MD5" format. This address the main deficiencies of plain crypt; not enough salt, and only the first 8 characters of the password are significant. Cheers, Phil
