I was wondering why even for the same username and the same password, htpasswd outputs a new hash everytime? I tried finding an answer to this question, but couldn't.
Different output, same username and password
The passwords generated by "htpasswd" use a random salt, to make it harder to guess. It also means that pre-crypted dictionaries for attacks have to be much larger since they have to crypt every possible password with every possible salt.
htpasswd uses crypt(3) behind the scenes.
Thanks. I was not aware of the random salt. –
Kinghorn
passwd, the Unix password changing utility does the same thing. (Although these days, many of them do MD5 passwords instead of crypt, so there isn't a salt.) –
Brash In case you're wondering, "How does the server determine the salt if the salt was randomly generated?"... the salt is the first two characters of the
crypt() output. –
Mullinax @DemPilafian Thanks for the salt point! But, actually, it's not the first two characters; instead, the output of
crypt has a format of $<HASH_TYPE>$<SALT>$<HASH_VALUE>. And hence the server can parse this string and get the hash salt. –
Boigie Here is a tip for you, when generating secret keys or strings, use a one_way_hash( salt + current time), these are, if not impossible, hard to crack. I normally employ this to create tokens or session keys.
© 2022 - 2024 — McMap. All rights reserved.