lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 22 Sep 2015 23:26:03 +0300
From: Solar Designer <>
Subject: Re: [PHC] Specification of a modular crypt format

On Sun, Sep 13, 2015 at 08:26:50PM +0200, Thomas Pornin wrote:
>   format; the parameters are separated by commas, and the list ends

FWIW, a comma was historically (prior to password shadowing and/or on
YP/NIS) used to separate the password hash from password aging info.
Perhaps this is still the case on some NIS setups, possibly even on
those that could upgrade their hash type?

In JtR, the comma is only parsed like that (truncating the hash to
crack) for descrypt, bigcrypt, and AFS, but not in the generic loader
code.  IIRC, no one has reported needing this comma processing for
another hash type, but this doesn't necessarily mean such cases don't

| entry in /etc/passwd could be:
| frank:yPf3M5qMgglUc,437I:101:10:Frank G Fiamingo:/home/tardis/frank:/usr/bin/csh

| ]
| ] Sample entry from /etc/passwd with password aging installed:
| ]
| ] will:5fg63fhD3d,M.z8:9406:12:Will Spencer:/home/fsg/will:/bin/bash
| ]
| Note the comma in the encrypted password field.  The characters after
| the comma are used by the password aging mechanism.
| ]
| ] Password aging characters from above example:
| ]
| ] M.z8
| ]
| The four characters are interpreted as follows:
|   1: Maximum number of weeks a password can be used before changing
|   2: Minimum number of weeks a password must be used before changing
| 3&4: Last time password was changed, in number of weeks since 1970/1/1

Then there's more detail given on some special cases.

| 03-02-2005 03:47 AM 
| I've configured password aging by hand. You can do this by editing the passwd file on the NIS master. Password aging information is added to the password hash:
| user1:--hash---,abCC:uid:gid:....etc

2005 is relatively recent, but I guess it was a descrypt hash anyway.
/Old-Style Password Aging

... and many other web pages, e.g. also an IRIX passwd(4) man page, etc.

BTW, this sets a precedent of using crypt B64 to encode numeric data.
Other such uses are seen in bsdicrypt (to my knowledge, the very first
scheme to use variable iteration counts in early 1990s, with four B64
chars encoding a 24-bit iteration count) and in my phpass "last resort
fallback" MD5-based scheme.


Powered by blists - more mailing lists