<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><br><div>On 15 Oct 2017, at 07:26, Geoff Down <<a href="mailto:geoffdown@fastmail.net">geoffdown@fastmail.net</a>> wrote:<br><br></div><blockquote type="cite"><div><span>On Sun, Oct 15, 2017, at 01:51 AM, teor wrote:</span><br><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>On 14 Oct 2017, at 20:33, Geoff Down <<a href="mailto:geoffdown@fastmail.net">geoffdown@fastmail.net</a>> wrote:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Hello all,</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>what sort of crazy bug would make Tor give different hashes for the same</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>password?</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>$ tor --hash-password hello</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>16:735E6FA5355D4146606AFE25B61B411DF419878C99705164D038FC99BC</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>$ tor --hash-password hello</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>16:8201E7D35BB8CACB60BF8947B49A3480BA1A17E77EDA8BE45790746884</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>$ tor --version</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Tor version 0.3.1.7 (git-6babd3d9ba9318b3).</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>This is normal behaviour for salted hashes.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><span>But which one then goes in the torrc?</span><br></div></blockquote><div><br></div><div>Either.</div><div>If one doesn't work, that's a bug (or there's an extra space in the password).</div><br><blockquote type="cite"><div><span>And how then can the password sent to the control port be matched if its</span><br><span>hash changes?</span><br></div></blockquote><div><br></div><div>HashedControlPassword contains algorithm,salt,hash(algorithm,salt,password)</div><div><br></div><div>The password is hashed with the salt using an algorithm, and the hash is</div><div>matched against <span style="background-color: rgba(255, 255, 255, 0);">hash(algorithm,salt,password).</span></div><br><blockquote type="cite"><div><span>Surely a salted hash has to use the same salt every time?</span><br></div></blockquote><div><br></div>No, it's precisely the opposite: a salted hash provides protection<div>*because* it uses a different salt every time. This protects against</div><div>rainbow tables, which contain hashes of common password strings</div><div>(or in some cases, all sufficiently short strings).</div><div><br><div>Some background that may be helpful:<br><br><div><a href="https://en.m.wikipedia.org/wiki/Salt_(cryptography)">https://en.m.wikipedia.org/wiki/Salt_(cryptography)</a></div><div><br></div><div>T</div></div></div></body></html>