Re: more questions regarding password hashes

[Brandon McCombs <bmccombs@ma.rr.com>]

Howard Chu wrote:
> Brandon McCombs wrote:
> > I actually read the manpage this time on password-crypt-salt-format 
> > but still have some questions.  It seems that only one salt format 
> > can be 
>
> > One last question, if a salt is used with MD5 for example, is the 
> > password's hash prefixed with {SMD5} or is {MD5} still used?
> >
> > All these hashes are confusing so I'm trying to get things clear in 
> > my head.
>
> No. No salt is used with MD5 or SHA. The salt that is used with SMD5 
> or SSHA is generated randomly. The password-crypt-salt-format only 
> applies to crypt, just as it's documented.
That doesn't seem to answer all my questions. I realize no salt is used 
with MD5/SHA , otherwise they would be SMD5 and SSHA. And I realize the 
salt used is generated randomly. The question is how does a person 
choose to use a salt or not use a salt if they have no control over what 
the salt is? What determines whether a salt is applied?  If a salt is 
specified on the conf file then it applies to everyone and no one can 
choose *not* to use it, is that correct? If so then if they want to use 
MD5 or SMD5, what do they need to do differently for each in order for 
the password to be stored correctly? If I'm calculating the hash for 
them to store the hashed password using an API, then I need to know what 
I need to do about the salt (so far it seems nothing) but I also need to 
know whether it even makes sense to give them the option of making 
salted or unsalted hashes or if the server is going to control all that 
anyway.

thanks