21

I was wondering why even for the same username and the same password, htpasswd outputs a new hash everytime? I tried finding an answer to this question, but couldn't.

Guido
  • 46,642
  • 28
  • 120
  • 174
user225312
  • 126,773
  • 69
  • 172
  • 181

2 Answers2

19

The passwords generated by "htpasswd" use a random salt, to make it harder to guess. It also means that pre-crypted dictionaries for attacks have to be much larger since they have to crypt every possible password with every possible salt.

htpasswd uses crypt(3) behind the scenes.

Paul Tomblin
  • 179,021
  • 58
  • 319
  • 408
  • Thanks. I was not aware of the random salt. – user225312 May 18 '10 at 12:29
  • `passwd`, the Unix password changing utility does the same thing. (Although these days, many of them do MD5 passwords instead of crypt, so there isn't a salt.) – Paul Tomblin May 18 '10 at 13:16
  • 5
    In case you're wondering, "How does the server determine the salt if the salt was randomly generated?"... the salt is the first two characters of the `crypt()` output. – Dem Pilafian Jun 16 '14 at 07:03
  • @DemPilafian Thanks for the salt point! But, actually, it's not the first two characters; instead, the output of `crypt` has a format of `$$$`. And hence the server can parse this string and get the hash salt. – Emran Dec 04 '22 at 15:30
0

Here is a tip for you, when generating secret keys or strings, use a one_way_hash( salt + current time), these are, if not impossible, hard to crack. I normally employ this to create tokens or session keys.

Kumar
  • 5,038
  • 7
  • 39
  • 51