[Mailman-Users] Mailman sitepass

Dave Sherohman esper at sherohman.org
Mon Jun 11 17:16:26 CEST 2001

On Mon, Jun 11, 2001 at 03:40:09PM +0200, Enriko Groen wrote:
> $1$FI$4ajCrrR4WADe8XOcBYUp8/$ mmsitepass

> $1$CU$3hwEZaPPSDJOMx8Vv7TyS0

> I entered the same password on both occasions, however the resulting strings
> are completly different.
> Shouldn't they both be the same?
> I looks like there is something wrong with crypting... does anyone have a
> direction in which to search.
> I'm a complete Python nitwit.

This is actually a unix detail rather than anything related to mailman or

In unix systems (and probably others), it's standard practice to feed a
two-character "salt" value to the hashing code along with the data (password)
to be encoded.  In the cases you gave us earlier, the salt values are "FI"
and "CU".

So, why use salt if it's given to you right there in the clear?  Two reasons:

1)  As you discovered, the same password encoded twice gives different
results because the salt is different.  This prevents you from looking at a
file of encoded passwords, noticing that Joe's password is the same as yours,
and logging in as him.

2)  It makes dictionary attacks more time-consuming because each word being
tested has to be encoded separately for each salt value present instead of
just doing it once and checking against all passwords in the file.

That's not gibberish...  It's Linux. - Byers, The Lone Gunmen
Geek Code 3.12:  GCS d? s+: a C++ UL++++$ P++>+++ L+++>++++ E- W--(++) N+
o+ !K w--- O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv+ b+ DI++++ D G e* h r y+

More information about the Mailman-Users mailing list