View Full Version : salt reminder

11-16-2009, 01:31 AM
I currently use salt for my md5 encrypted passwords. (thanks Fish).

I want to move on to variable salt encryption where each pwd has a different, random salt but my aim of retaining that knowledge until I was ready for this step, has failed.

my question is, will the salt always be the same length after hashing, so it won't matter when it comes to splitting off the salt for comparison with the pwd? Or should I always ensure the salt is of a given length, pre-encryption?

I am trying to work out how - if it is that consistent, that it won't easily be cracked.

if ($encrypted_pass && $login{'username'} eq "$user_name") {
my $salt = substr($encrypted_pass, 3,8);
my $password = unix_md5_crypt( $login{'password'}, $salt );


11-16-2009, 05:29 AM
The length of the salt value should remain constant. However, as long as it isn't being used by the system (such as in the /etc/passwd file) then it could vary in length, but that just complicates the authentication process in your script, so why would you want to do that?

The salt value is only one part of the authentication process. The most important part in adverting the password being cracked is to make sure that users use a good password that is at the very least 6 characters and is not simply based on a dictionary word or number. I've seen users using 1234 as a password. That can be cracked in a fraction of a second.

The password encryption that I showed you in previous threads can be used to generate *nix login passwords which are more secure than Windows passwords. When authenticating *nix login passwords, then you should look at using PAM authentication.

Authen::PAM - Perl interface to PAM library

11-16-2009, 06:42 AM
Thanks FishMonger.

I am confused over the difference between a *nix password and a windows password. I always thought the password was just a password and should be encrypted with something like MD5.

Any chance there is a tutorial you know of that explains the difference/significance of the difference.

Is there anything wrong with storing the encrypted password in a mysql db? what is the difference between the two methods - MySQL or the unix file(passwd).


11-16-2009, 06:45 PM
Hmm, I guess I did a good job of confusing the issue.

I'll try to keep this explanation to minimum and at a high level.

First and most important is that you're authenticating users at the application level and those user accounts have no relation to the user accounts on the system. So you are completely free to use any type of password policies and authentication procedures that you wish and storing that account info in a database is the most appropriate choice.

Windows uses a completely different encryption algorithm and authentication process than UNIX/Linux systems. So if you ever do need to authenticate a system user account, you'll need to use the authentication process used on that platform.

I have several scripts that combine the system and application level authentication. Meaning that in order to use the application, the user must have a valid user account at the OS level.

11-17-2009, 12:14 AM
Yeh, a penny dropped with me a few minutes ago and I came back up to the PC to post again.

I confused myself by mixing up the issues of server authentication and passwording my cms. None of my clients will have direct server access. Instead they will be able to manage their web content via the cms. so I hold a value in the db which is an MD5 encrypted pwd and they have to enter a password which the script (you helped me with), md5's to try to match it with that held in the db.

In order to prevent cracking of these passwords, should I ensure they are changed monthly for example? And is there any improvement in value by md5-ing the pwd twice or some other 'belt and braces' notion I can come up with?

Thanks for your non-confusing help :)