Why are md5 passwords hashed differently?

Question

I've been wondering for a while, why does running "echo 'helloworld' | openssl passwd -1 -stdin" yield different results every time?If I put any of the hashes in my /etc/shadow I can use them as my password and login to my system, how does it work?

computer:/ user$ echo 'helloworld' | openssl passwd -1 -stdin
$1$xlm86SKN$vzF1zs3vfjC9zRVI15zFl1
computer:/ user$ echo 'helloworld' | openssl passwd -1 -stdin
$1$/0.20NIp$pd4X9xTZ6sF8ExEGqAXb9/
computer:/ user$ echo 'helloworld' | openssl passwd -1 -stdin
$1$sZ65uxPA$pENwlL.5a.RNVZITN/zNJ1
computer:/ user$ echo 'helloworld' | openssl passwd -1 -stdin
$1$zBFQ0d3Z$SibkYmuJvbmm8O8cNeGMx1
computer:/ user$ echo 'helloworld' | openssl passwd -1 -stdin
$1$PfDyDWER$tWaoTYym8zy38P2ElwoBe/

I would think that because I use this hash to describe to the system what my password should be, I should get the same results every time. Why don't I?

If they were the same each time, an attacker could just hash billions of common passwords and easily check for them. — David Schwartz, Jun 08 '13 at 21:25

Michael Hampton · Accepted Answer · 2013-06-10T19:58:14.993

37

They all have a different salt. A unique salt is chosen each time, as salts should never be reused. Using a unique salt for each password makes them resistant to rainbow table attacks.

edited Jun 10 '13 at 19:58

answered Jun 08 '13 at 21:13

Michael Hampton

237,123
42
477
940

7

@peter See also: [Why should I hash passwords?](http://security.stackexchange.com/questions/36833) and [Why is using salt more secure?](http://security.stackexchange.com/questions/14025/) from [security.SE] – voretaq7 Jun 08 '13 at 23:56
6

It might be a good idea to mention that the output includes the salt after the $1$ (the dollar symbols are separators). – poke Jun 09 '13 at 11:07
6

So in the hash of '$1$xlm86SKN$vzF1zs3vfjC9zRVI15zFl1' xlm86SKN is the salt and vzF1zs3vfjC9zRVI15zFl1 is the hash of salted helloworld? – Peter Jun 09 '13 at 18:44
2

@Peter: exactly. – Joachim Sauer Jun 10 '13 at 06:59

score 3 · Answer 2 · answered Jun 28 '15 at 14:24

Indeed if you provide the salt to the command line you always get the same result.

$ echo 'helloworld' | openssl passwd -1 -stdin -salt my-salt
$1$my-salt$S/PsLSioHR8ffN8bpIzsk/
$ echo 'helloworld' | openssl passwd -1 -stdin -salt my-salt
$1$my-salt$S/PsLSioHR8ffN8bpIzsk/
$ echo 'helloworld' | openssl passwd -1 -stdin -salt my-salt
$1$my-salt$S/PsLSioHR8ffN8bpIzsk/

Why are md5 passwords hashed differently?

2 Answers2