Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

obtain salt from something else than a command argument #350

Open
calestyo opened this issue Jul 11, 2022 · 2 comments
Open

obtain salt from something else than a command argument #350

calestyo opened this issue Jul 11, 2022 · 2 comments

Comments

@calestyo
Copy link

Hey.

It would be nice if the salt could alternatively be obtained from something else than a command argument (which is typically visible to any user).

Sure, the salt isn't secret, but why "spreading" it unnecessarily?

One could use a configurable environment variable and/or the 2nd line of standard input.

Thanks,
Chris.

@LookAtFr3sn0
Copy link

LookAtFr3sn0 commented Mar 24, 2023

A salt is only meant as a way to render using a rainbow table pointless and knowing it does not give you any advantage.
A typical user should not be able to see a command argument, if they can they are likely to find a way to also see environmental variables.
My point being, you can hide it from some users but you can't hide it from everyone because it's something your code needs to know and it's considered safe to store in plain text along the hash.

@calestyo
Copy link
Author

A salt is only meant as a way to render using a rainbow table pointless and knowing it does not give you any advantage.

Well as I've said above:

Sure, the salt isn't secret, but why "spreading" it unnecessarily?

A typical user should not be able to see a command argument, if they can they are likely to find a way to also see environmental variables.

At least under standard Linux distros, all process arguments are always visible to any other users.

My point being, you can hide it from some users but you can't hide it from everyone because it's something your code needs to know and it's considered safe to store in plain text along the hash.

Well you can't hide it from root or similar privileged users... but from any other normal users. But again, as said this would be just a minor improvement because as said, the salt isn't expected to be secret.

But this project seems anyway abandoned... so any discussion is rather pointless.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants