Lukas Z's Blog

On Programmatically Checking Linux-passwords

Klaus Trainer has just posted a short article on how to write a short program, that checks usernames and passwords on a Linux machine.

I was at first confused why it works, since there was no salt. But in fact it’s there, inside the entry in /etc/shadow.

Here’s the format:

$<HASHING-METHOD>$<SALT>$<HASHED-PASSWORD (base64)>

So for example if we have a row like this:

$6$qUgyc2fC$hljmJlJU7TV4gm8GDZd51eZnxNgWp3rUJ49kSblRLssLqxux5K.xSIcIn2QjL27jXOREBfXiB1WES3SEIPHk10

Then the 6 means that SHA512 was used, and qUgyc2fC is the salt.

P.S.: You can follow me on Twitter.

Comments

Webmentions