This is an idiotic question, but... If password hashes are generated by: f(x) = crypt(password + salt), where "+" is concatenation, and only f(x) is stored, how is a server able to verify a user logging in when the salt always changes?
-
-
its purpose is just to prevent use of rainbow tables, and to ensure users with the same password have different hashes
-
Yea I didn't think this question through... I was looking at the output of dovecot's password gen and got confused why the same password generated different hashes. Didn't occur to me that the salt was prepended onto the hash.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.