22

I've been wondering for a while, why does running "echo 'helloworld' | openssl passwd -1 -stdin" yield different results every time?If I put any of the hashes in my /etc/shadow I can use them as my password and login to my system, how does it work?

computer:/ user$ echo 'helloworld' | openssl passwd -1 -stdin
$1$xlm86SKN$vzF1zs3vfjC9zRVI15zFl1
computer:/ user$ echo 'helloworld' | openssl passwd -1 -stdin
$1$/0.20NIp$pd4X9xTZ6sF8ExEGqAXb9/
computer:/ user$ echo 'helloworld' | openssl passwd -1 -stdin
$1$sZ65uxPA$pENwlL.5a.RNVZITN/zNJ1
computer:/ user$ echo 'helloworld' | openssl passwd -1 -stdin
$1$zBFQ0d3Z$SibkYmuJvbmm8O8cNeGMx1
computer:/ user$ echo 'helloworld' | openssl passwd -1 -stdin
$1$PfDyDWER$tWaoTYym8zy38P2ElwoBe/

I would think that because I use this hash to describe to the system what my password should be, I should get the same results every time. Why don't I?

Peter
  • 1,102
  • 3
  • 18
  • 32

2 Answers2

37

They all have a different salt. A unique salt is chosen each time, as salts should never be reused. Using a unique salt for each password makes them resistant to rainbow table attacks.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • 7
    @peter See also: [Why should I hash passwords?](http://security.stackexchange.com/questions/36833) and [Why is using salt more secure?](http://security.stackexchange.com/questions/14025/) from [security.SE] – voretaq7 Jun 08 '13 at 23:56
  • 6
    It might be a good idea to mention that the output includes the salt after the $1$ (the dollar symbols are separators). – poke Jun 09 '13 at 11:07
  • 6
    So in the hash of '$1$xlm86SKN$vzF1zs3vfjC9zRVI15zFl1' xlm86SKN is the salt and vzF1zs3vfjC9zRVI15zFl1 is the hash of salted helloworld? – Peter Jun 09 '13 at 18:44
  • 2
    @Peter: exactly. – Joachim Sauer Jun 10 '13 at 06:59
3

Indeed if you provide the salt to the command line you always get the same result.

$ echo 'helloworld' | openssl passwd -1 -stdin -salt my-salt
$1$my-salt$S/PsLSioHR8ffN8bpIzsk/
$ echo 'helloworld' | openssl passwd -1 -stdin -salt my-salt
$1$my-salt$S/PsLSioHR8ffN8bpIzsk/
$ echo 'helloworld' | openssl passwd -1 -stdin -salt my-salt
$1$my-salt$S/PsLSioHR8ffN8bpIzsk/
danidemi
  • 141
  • 3