CA Directory: Command to find default salt-length for SHA512 hashed password

Document ID : KB000110751
Last Modified Date : 14/08/2018
Show Technical Document Details
Question:
Using default SSHA-512 and need to find the salt-length. Is there a command to find it? Use case is, you many have multiple passwords created for the same user and you want to manually (via scripting as a clean up process) remove all the old passwords from a user entry only keeping the latest/last one that was created.
Answer:
Apart from our obfuscation algorithm (-P CADIR which uses a fixed key), our passwords use one-way hashing algorithms rather than encryption. Salted variants of these algorithms use a random salt to ensure the outcome of the hash is unique to protect against pre-computational hash attacks (like rainbow table attacks).

The salt is derived using the OpenSSL function RAND_bytes() which uses the default random method. By default, this uses “/dev/urandom” (if available) as “/dev/random” is a blocking device.