为什么使用C crypt函数将盐包含在哈希中

Question

Look at this very basic c program:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#include <crypt.h>

int main (int argc, char *argv[]) 
{
    char pid[16];
    int id;
    for (id = 0;  id < 100; id++) 
    {
       snprintf(pid, sizeof(pid), "%i", id);
       printf("%s %s\n",pid, crypt(pid, "$1$awesome"));
    }
}

Here is the output on linux system:

0 $1$awesome$cVjo4Ue9HeJs7sStMTm6v.
1 $1$awesome$6.658tD5uVqwQJ6/S8Mc71
2 $1$awesome$bKavcHTWRGnlTgP.zTZhO.
3 $1$awesome$ZlBH.fgxGrfw/naq38hyv.
4 $1$awesome$aQCliN7gPud1PC07Vri.y1
5 $1$awesome$EewcRVU39I/n0uMGaDxCN0
6 $1$awesome$fKMRDZaa5wra4G8xy9.m0/
7 $1$awesome$AqJ0SmXImg.xcUg/Yh/ov.
8 $1$awesome$bT3Wq9QORw1dnNZFZmVBk.
9 $1$awesome$4uM8mfZGdj2zeZ/CP/GSz1
10 $1$awesome$Gsa/ilcFg1LRl2dqNhgXg0

I do not understand why the salt is visible on the output. I have tried to compile the same program on Mac OS X and I did not see the salt in the hash. Isn't it a security hole? We should not see the salt in clear in the hash ?

Thanks

Answer 1

Read section 3 from the researchers who originally proposed it. It says what @jonrsharpe said in the comment above, but always nice to get the original source (emphasis mine):

The key search technique is still likely to turn up a few passwords when it is used on a large collection of passwords, and it seemed wise to make this task as difficult as possible. To this end, when a password is first entered, the password program obtains a 12-bit random number (by reading the real-time clock) and appends this to the password typed in by the user. The concatenated string is encrypted and both the 12-bit random quantity (called the salt) and the 64-bit result of the encryption are entered into the password file .

When the user later logs in to the system, the 12-bit quantity is extracted from the password file and appended to the typed password. The encrypted result is required, as before, to be the same as the remaining 64 bits in the password file . This modification does not increase the task of finding any individual password, starting from scratch, but now the work of testing a given character string against a large collection of encrypted passwords has been multiplied by 4,096 (2^12). The reason for this is that there are 4,096 encrypted versions of each password and one of them has been picked more or less at random by the system.

With this modification, it is likely that the bad guy can spend days of computer time trying to find a password on a system with hundreds of passwords, and find none at all. More important is the fact that it becomes impractical to prepare an encrypted dictionary in advance. Such an encrypted dictionary could be used to crack new passwords in milliseconds when they appear.

There is a (not inadvertent) side effect of this modification. It becomes nearly impossible to find out whether a person with passwords on two or more systems has used the same password on all of them, unless you already know that.