Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

3
  • how are the passwords salted? Since the Linux kernel is open source, is not the salt algorithm known by the world and therefor useless? Commented Jun 7, 2013 at 16:25
  • 2
    @Rox - First, salts work by being at high-probability a unique string that's concatenated to the password before its hashed. Therefore, someone can't attack millions of passwords in parallel; (e.g., generate sha256crypt's of a list of 100 million common passwords once and then compare against all million hashes you have until you find matches). Instead to attack just one hash with a unique salt, you'd have to try all the common passwords (concatenated with that unique salt) until one worked. Note the salt is stored with the hash, as to check a password you need to use the salt. Commented Jun 7, 2013 at 17:46
  • 4
    @Rox - Furthermore, the linux kernel being open-source is not relevant either. IIRC, the random salt is created from /dev/random, which uses true random bits are accumulated from measuring the noise properties of your system (e.g., did it take an even or odd number of clock cycles to access something from disk or time between keystrokes/mouse movements); so it is not predictable, even if it is open source. Commented Jun 7, 2013 at 17:49