Where can I read more about hashed string syntax?

H

Henry2019-09-03 12:34:03

Hashing

Henry, 2019-09-03 12:34:03

There are two password lines:

ftO3Vf5ujoFQgpz9vG7D+paKjOnppI7IRuuvQpq7s1U=
sha256:1000:L6DlotbUNtnUv7jZ5d/vLnnzaklLWeVt:mUOt7S58/Ray8HE68OhmJc9IDZkLJmoK

both are hashed using the sha256 algorithm. As I understand it, in the second option there is a salt and an indication of what specific hashing algorithm it is (but this is not accurate). Why is it written this way in one case and differently in the other? Where can you read more about this?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

L

lorc, 2019-09-03
@Henryh

There is no single standard for how passwords (and even more so - just strings) are hashed.
For example, the passwd format is described in `man 3 crypt`:

The glibc version of this function supports additional encryption algorithms.
If salt is a character string starting with the characters "$id$" followed by a string optionally terminated by "$", then the result has the form:
$id$salt$encrypted
id identifies the encryption method used instead of DES and this then determines how the rest of the password string is interpreted. The following values of id are supported:
ID | Method
_ ────────
1 | MD5
2a | Blowfish (not in mainline glibc; added in some
| Linux distributions)
5 | SHA-256 (since glibc 2.7)
6 | SHA-512 (since glibc 2.7)
Thus, $5$salt$encrypted and $6$salt$encrypted contain the password encrypted with, respectively, functions based on SHA-256 and SHA-512.
"salt" stands for the up to 16 characters following "$id$" in the salt. The "encrypted" part of the password string is the actual computed password. The size of this string is
fixed:
MD5 | 22 characters
SHA-256 | 43 characters
SHA-512 | 86 characters
The characters in "salt" and "encrypted" are drawn from the set [a-zA-Z0-9./]. In the MD5 and SHA implementations the entire key is significant (instead of only the first 8 bytes
in DES).
Since glibc 2.7, the SHA-256 and SHA-512 implementations support a user-supplied number of hashing rounds, defaulting to 5000. If the "$id$" characters in the salt are followed
by "rounds=xxx$", where xxx is an integer, then the result has the form
$id$rounds=yyy$salt$encrypted
where yyy is the number of hashing rounds actually used. The number of rounds actually used is 1000 if xxx is less than 1000, 999999999 if xxx is greater than 999999999, and is
equal to xxx otherwise.

In other places, the format may be completely different. Therefore, the most accurate answer is to look at the source codes of the code that generated these lines for you.

R

Ruslan., 2019-09-03
@LaRN

By the appearance of the hash, it is impossible to determine whether there is a salt or not, that's why it is a hash.
You can read about sha256 on the wiki.
And you can experiment with it if you download, for example, OpenSSL.
Dock on OpenSSL.
https://www.madboa.com/geek/openssl/