CA Directory: Command to find default salt-length for SHA512 hashed password

book

Article ID: 110751

calendar_today

Updated On:

Products

DIRECTORY

Issue/Introduction



Using default SSHA-512 and need to find the salt-length. Is there a command to find it? Use case is, you many have multiple passwords created for the same user and you want to manually (via scripting as a clean up process) remove all the old passwords from a user entry only keeping the latest/last one that was created.

Environment

Release:
Component: ETRDIR

Resolution

Apart from our obfuscation algorithm (-P CADIR which uses a fixed key), our passwords use one-way hashing algorithms rather than encryption. Salted variants of these algorithms use a random salt to ensure the outcome of the hash is unique to protect against pre-computational hash attacks (like rainbow table attacks).

The salt is derived using the OpenSSL function RAND_bytes() which uses the default random method. By default, this uses “/dev/urandom” (if available) as “/dev/random” is a blocking device.