Where is the SALT attached to the password AFTER or BEFORE the password?

Question

Where is the SALT attached to the password AFTER or BEFORE the password?

When you use GNU / Linux, the password is (mostly) specified in MD5 and SHA
The operating system attaches the SALT to this password before encrypting it to avoid dictionary attacs.

My question is, where does SO attach the SALT, before or after the password?

For example, my password is: peter2011 , before specifying it, it:

saltpeter2011 or peter2011salt

Thanks in advance.

I don’t know if you have missed my question, but I don’t ask how Linux stores its passwords, I ask how it does this, I mean:

encrypt_in_md5 (saltpeter2011) or encript_in_md5 (peter2011salt)

I know that the / etc / shadow file is stored as $ salt & encripted_password

Thanks in advance!

+7

linux passwords encryption sha md5

Peter May 22, '11 at 21:26

source share

3 answers

Ignacio Vazquez-Abrams · Answer 1 · 2011-05-22T21:33:41+0000

This is a bit more complicated than using multiple rounds of add and hash. It is best to use crypt(3) and let the system handle it.

john · Answer 2 · 2011-05-22T23:59:10+0000

It is not as easy as you think.

First of all, the way the salts are used depends on the hash function used. You mention MD5, so we look at this case.

You should look in the glibc / crypt / md5-crypt.c file for a response in glibc sources.

There you will find that he first does something like md5 (KEY $ 1 $ SALT), then does md5 (KEYSALTKEY), and then mixes them together in a weird way. Then it does some weirder iterations based on the key, salt and previous results, and finally, after some mixing of the bytes you do.

Ahmet Alp Balkan · Answer 3 · 2011-05-22T21:31:51+0000

If you implement a system, it is entirely up to you. Irrelevant.

Most likely, unix makes $1$SALTpeter2011 .

Where is the SALT attached to the password AFTER or BEFORE the password?

More articles: