Understanding Linux Password Hashes

July 14, 2004, updated August 6, 2004
This is an excerpt from an email discussion I had with a webmaster that is worth sharing.
Just thought I would comment on something I ran across on your site.

On your page, http://hills.ccsf.org/~jharri01/project.html#passwords you
speculated that the first 8 chars of the MD5 hash had special meaning
but didn't know what it was. It's the salt for the MD5 hash. When the
password is hashed using MD5, it requires a salt (which by standard is
almost always completely random/time generated by whatever command
creates the password). I suppose the greatest meaning for the salt, is
to stop users with the same password from having the same hash.
So, the complete hash is made up of $1$_SALT_$_MD5_HASH_. The "$1$" is
referred to as the "magic" and in some cases is used to determine if
this is a MD5 hash and not something else (DES) like you said. So, when
somebody wants to use the new version of crypt() to see if a password is
correct by comparing hashes, they still need the original hash salt to
create the new hash.

All this is just the result of me fooling around in the sources.

Related Posts