1

In order to make passwords more secure , a random salt is added to the password before harshing occurs .

I am assuming the salt is stored on the server in an associative array [username:salt] and the server appends the salt to the password before harshing everytime the user logins else the server wouldnt know what random salt to append to the password

1) Is my assumption correct ???

2) Is the salt normally stored in plain text or cipher on the server and why ??

3) Which file is it stored in ?? ( i know this may be subjective as it depends on the different servers)

I would like a detailed explaination if possible

Thanks

Computernerd
  • 139
  • 7
  • Please see: http://security.stackexchange.com/q/33505/1722 or http://security.stackexchange.com/q/41617/1722 or http://security.stackexchange.com/q/39468/1722 or http://security.stackexchange.com/q/17421/1722 - especially that last one. – Mark Henderson Jan 16 '14 at 02:39

1 Answers1

3

It's concatenated with the encrypted password string (possibly with delimiter characters, possibly just a fixed number of characters; depends on which particular password file you're talking about) So, for example, my /etc/shadow contains $6$prRzIBxG$K4w0950HW9eMmVgzqpmdgfpxqmFtXZx.mS7wGorSoeXvt51tejXxx22CoTsrmj9AsszgT.CvkB5BrPuMq1r.Z/ as the encrypted password. The $6$ is a control sequence, and the salt is pr.

(Note, that's on password-file systems like UNIX; you also tagged IIS, but Windows stores passwords, salts, etc. in a rather opaque datastructure called a SAM.)

Bandrami
  • 893
  • 4
  • 9