On 8/20/07, Don Jerman <[EMAIL PROTECTED]> wrote: > On 8/20/07, Dan Cowsill <[EMAIL PROTECTED]> wrote: > > I started having problems with my boot password not too long after I > > changed it and I stumbled upon something altogether weird. > > > > The following is a copy of what grub is giving me for an md5 hash: > > > > -- > > > > grub> md5crypt > > > > Password: **** > > Encrypted: $1$vhwK6$dV.xpYBymjq7.cZVnFZYe0 > > > > grub> md5crypt > > > > Password: **** > > Encrypted: $1$miwK6$BKU11//PyeKMxtgiCbEeZ0 > > > > grub> md5crypt > > > > Password: **** > > Encrypted: $1$njwK6$3KqXwDtPqGm6cBGQgSl2.0 > > > > grub> md5crypt > > > > Password: **** > > Encrypted: $1$YkwK6$QCQguFhrGofbJXYnA62J91 > > > > grub> > > > > -- > > > > Now, keep in mind that the word I'm typing is 'test'. No > > capitalization, no spaces, no nonsense. And yet the hashes md5crypt > > returns are all different. Now, that's no good if you ask me. > > These are all password-recognizers, not md5 hash strings (ok, they are > in part). > > The $1$ identifies a salt lead-in, the next part is the salt for your > password (generated randomly) up to the next $, then the hash of your > password + salt (to the end of the string). Given the secret salt, > Grub (or anything else using this method) can combine it with the > candidate password and check the hash. But since the salt is random > you get a different hash every time. > > This behavior is desirable in case you have two or more password > recognizers in the same config file (or in files accessable to the > same untrusted reader). It prevents identical passwords from being > detected (as you demonstrated) by reading the recognizer strings. > > So no, not broken, just not what you expected. > -- > [EMAIL PROTECTED] mailing list > >
Right, not what I expected to be sure. I would like to know how they did that, though! Thanks for enlightening me, Dan -- Dan Cowsill http://www.danthehat.net -- [EMAIL PROTECTED] mailing list
