lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun Jul 31 23:24:02 2005
From: admin at karsten.pcn.de (Karsten Gessner)
Subject: Best way to crack NT passwds

Only OLD system password are working with rainbow tables. On newer
"Salt is used to randomize the stored password hash. With different salt
value, same password yeilds different hash value. The time-memory
trade-off technique used by RainbowCrack is not practical when appliable
to this kind of hash."


Re:Things I've always wanted to know about salting (Score:5,
Informative)  
by jcochran (309950) on Sunday July 04, @01:09AM (#9604125)  The "salt"
is used to change how the password is hashed. If you look at the shadow
password file on your computer, you'll see some lines that look like
this 

root:$1$abcdefge$abcd1234efg789hijklmno:0:0:... 

You'll notice that the password field (the stuff after the 1st colon,
and before the 2nd colon) is itself divided into 3 fields separated by
dollar signs. The purpose of these fields are:

1st field - Identifies hashing method. This allows for future changes to
how the password in stored while allowing backward compatability with
existing passwords.

2nd field - This contains the salt used to hash the password. In order
to verify a new password, this exact salt must be used in the hashing
process. Since in this case, it's 8 characters long and each character
can be one of 64 values, it means that each possible password my be
hashed into one of 2^48 different values. This salt is generated
randomly at the time that you set your password. The randomly generated
salt is then stored here for use in verifying future authencation
attempts.

3rd field - This is the actual hashed password using the salt specified
in the previous field. It is 22 characters long, which with base 64
encoding can store 132 bits. Since MD5 only hashes to 128 bits, there
are 4 unused bits at the tail end of this value. 

-----
after reading and understanding rainbowtables I became a little bit
nervous till I read about the salt in it ;-)  

Powered by blists - more mailing lists