0

On my NetBSD system, there is a password hash in master.passwd that looks like this:

$sha1$[5 numbers]$[8 letters]$[17 alpha numeric].[10 alpha numeric]

For privacy concerns I left out the actual values. Would someone be willing to explain the different parts of this? I was under the impression that SHA1 resulted in 20 bytes, so I was very confused about what part was the actual hash, and what part was the salt, and what part everything else was.

user3475234
  • 1,503
  • 3
  • 22
  • 40

1 Answers1

1

The relevant parts can be found in NetBSD src/lib/libcrypt.

For the format: crypt-sha1.c

The format of the encrypted password is:
$<tag>$<iterations>$<salt>$<digest>
where:
    <tag>       is "sha1"
    <iterations>    is an unsigned int identifying how many rounds
            have been applied to <digest>.  The number
            should vary slightly for each password to make
            it harder to generate a dictionary of
            pre-computed hashes.  See crypt_sha1_iterations.
    <salt>      up to 64 bytes of random data, 8 bytes is
            currently considered more than enough.
    <digest>    the hashed password.

The digest is 160 bits = 20 bytes, but it is encoded using base64 (4 bytes for 3 source bytes) to 28 bytes (with one zero padding byte). See util.c for that.

lmz
  • 1,560
  • 1
  • 9
  • 19
  • Thank you! I was looking in the man page for master.passwd but they seemed to only mention blowfish. Very helpful. – user3475234 May 09 '15 at 00:17
  • It's not documented in crypt(3) either. Maybe you should get them to add it to the manpage. – lmz May 09 '15 at 00:21