{"id":1935,"date":"2025-07-07T08:52:51","date_gmt":"2025-07-07T07:52:51","guid":{"rendered":"https:\/\/workboot.fr\/ciela\/?page_id=1935"},"modified":"2025-07-07T10:31:19","modified_gmt":"2025-07-07T09:31:19","slug":"hash-et-mot-de-passe","status":"publish","type":"page","link":"https:\/\/workboot.fr\/ciela\/hash-et-mot-de-passe\/","title":{"rendered":"hash et mot de passe"},"content":{"rendered":"\n

Se cours expose les hashs SHA-512 et YESCRYPT <\/p>\n\n\n\n

dans le fichier \/etc\/shadow <\/strong>, on trouve le hash du mot de passe. <\/p>\n\n\n\n

etudiant@ordi:~$ cat \/etc\/shadow\ncat: \/etc\/shadow: Permission non accord\u00e9e\netudiant@ordi:~$ ls -l \/etc\/shadow\n-rw-r----- 1 root shadow 1593 juil.  2 13:24 \/etc\/shadow\netudiant@ordi:~$ <\/code><\/pre>\n\n\n\n
on remarque ici que le fichier critique shadow , n’est accessible que par root !  pour des raisons de s\u00e9curit\u00e9 ! il contient les mots passes hash\u00e9s !<\/p>\n\n\n\n
Fichier super secret :<\/p>\n\n\n\n
\/etc\/passwd<\/summary>\n
etudiant@ordi:~$ sudo cat \/etc\/shadow\n[sudo] Mot de passe de etudiant\u00a0: \nroot:!:20269:0:99999:7:::\ndaemon:*:19773:0:99999:7:::\nbin:*:19773:0:99999:7:::\nsys:*:19773:0:99999:7:::\nsync:*:19773:0:99999:7:::\ngames:*:19773:0:99999:7:::\nman:*:19773:0:99999:7:::\nlp:*:19773:0:99999:7:::\nmail:*:19773:0:99999:7:::\nnews:*:19773:0:99999:7:::\nuucp:*:19773:0:99999:7:::\nproxy:*:19773:0:99999:7:::\nwww-data:*:19773:0:99999:7:::\nbackup:*:19773:0:99999:7:::\nlist:*:19773:0:99999:7:::\nirc:*:19773:0:99999:7:::\ngnats:*:19773:0:99999:7:::\nnobody:*:19773:0:99999:7:::\nsystemd-network:*:19773:0:99999:7:::\nsystemd-resolve:*:19773:0:99999:7:::\nmessagebus:*:19773:0:99999:7:::\nsystemd-timesync:*:19773:0:99999:7:::\nsyslog:*:19773:0:99999:7:::\n_apt:*:19773:0:99999:7:::\ntss:*:19773:0:99999:7:::\nuuidd:*:19773:0:99999:7:::\nsystemd-oom:*:19773:0:99999:7:::\ntcpdump:*:19773:0:99999:7:::\navahi-autoipd:*:19773:0:99999:7:::\nusbmux:*:19773:0:99999:7:::\ndnsmasq:*:19773:0:99999:7:::\nkernoops:*:19773:0:99999:7:::\navahi:*:19773:0:99999:7:::\ncups-pk-helper:*:19773:0:99999:7:::\nrtkit:*:19773:0:99999:7:::\nwhoopsie:*:19773:0:99999:7:::\nsssd:*:19773:0:99999:7:::\nspeech-dispatcher:!:19773:0:99999:7:::\nfwupd-refresh:*:19773:0:99999:7:::\nnm-openvpn:*:19773:0:99999:7:::\nsaned:*:19773:0:99999:7:::\ncolord:*:19773:0:99999:7:::\ngeoclue:*:19773:0:99999:7:::\npulse:*:19773:0:99999:7:::\ngnome-initial-setup:*:19773:0:99999:7:::\nhplip:*:19773:0:99999:7:::\ngdm:*:19773:0:99999:7:::\netudiant:<\/mark>$y$j9T$Pujdg7OJEBcONKuWJPl48.$rOHojUWdxPBka.S7GYinR68n82.t5Y\/NQ2kiQX4CJv0<\/mark>:20269:0:99999:7:::\ndorian:$y$j9T$zr4ZdrviuR\/b8uWBTDxDP1$ZwjOhxOGM7PgLF4FJoNivmW\/P3\/XwLGzhNe0eZCAvZ9:20271:0:99999:7:::<\/mark>\nsshd:*:20271:0:99999:7:::\netudiant@ordi:~$ \n<\/code><\/pre>\n<\/details>\n\n\n\n
on voit le mot de passe etudiant hash\u00e9 en jaune le salage en bleu  !<\/p>\n\n\n\n
$y$<\/mark>j9T$<\/mark>Pujdg7OJEBcONKuWJPl48.<\/mark>$rOHojUWdxPBka.S7GYinR68n82.t5Y\/NQ2kiQX4CJv0<\/mark><\/p>\n\n\n\n
Le hash est au format moderne yescrypt<\/strong> (identifiable gr\u00e2ce au pr\u00e9fixe $y$<\/mark><\/code>)<\/p>\n\n\n\n
Pourquoi on hash le mot de passe !<\/h1>\n\n\n\n
M\u00eame root ne peut pas savoir ce que vous avez mis  comme mot de passe et c’est le grand int\u00e9r\u00eat du hash ! Et si on se fait voler le fichier shadow les mots de passes des utilisateurs ne sont pas compromis.<\/p>\n\n\n\n
D’ailleurs si vous devez faire un applicatif qui utilise des mots de passes , il  faut imp\u00e9rativement utiliser les hashs pour s\u00e9curiser votre travail<\/mark>.<\/p>\n\n\n\n
openssl<\/h2>\n\n\n\n
installation de openssl sous debian et d\u00e9riv\u00e9s <\/p>\n\n\n\n
sudo apt update && sudo apt install openssl   # si \u00e7a n'est pas d\u00e9j\u00e0 fait<\/code><\/pre>\n\n\n\n
comment ca fonctionne <\/h3>\n\n\n\n
le mieux est de faire une petite d\u00e9mo !  on va utiliser du SHA-512<\/strong><\/p>\n\n\n\n
etudiant@ordi:~$ openssl passwd -6 'etudiant'\n$6$<\/mark>Q0mhKcxPG4EHxACp$NIKIQoJdxaO0ZR4OQ7FOfruPRO\/AQygtNPG2v47cxHaj2AsAFTzUFH87dqY1QsSLxHB4XRuhQNNhpa.CoeE06\/\netudiant@ordi:~$ openssl passwd -6 'etudiant'\n$6$<\/mark>FrzsNkc9D5OJrlek$4HvDLsMYlozd6K5Dg81GklUwXLhuI6chMZW8NyFjhoXwxRQR\/e8qxd959.cA0f6yKH.ZICs\/ElTZ4KhZdvtJF1\netudiant@ordi:~$ openssl passwd -6 'etudiant'\n$6<\/mark>$OCFT0wGhueYVgKYp$iRZMKgHiD6iRy33aRrQ7mqe1qfw04vg0eaEz5MUE7q.tFnnknZPKr1VOK8N42oUvnk.WmM0na50.ygfbcp0pn.\netudiant@ordi:~$ <\/code><\/pre>\n\n\n\n
nous avons 3 hashs diff\u00e9rents du mot de passe etudiant  ! et on peut continuer comme \u00e7a !!!<\/p>\n\n\n\n
Et pourtant dedans il y a bien etudiant \u00e0 chaque fois ! <\/p>\n\n\n\n
Lors de la g\u00e9n\u00e9ration du hash , un sel (salt) est propos\u00e9 de fa\u00e7on al\u00e9atoire, c’est l’explication des diff\u00e9rents hash possible du m\u00eame mot de passe. <\/p>\n\n\n\n
\ud83e\uddec Pourquoi openssl passwd<\/code> est utilis\u00e9 alors ?<\/h3>\n\n\n\n
Parce qu\u2019il permet de g\u00e9n\u00e9rer des hachages de mots de passe<\/strong> compatibles avec \/etc\/shadow<\/code>.<\/p>\n\n\n\n
    \n
  • -1<\/code> pour MD5<\/li>\n\n\n\n
  • -5<\/code> pour SHA-256<\/li>\n\n\n\n
  • -6<\/code> pour SHA-512 (le plus courant et recommand\u00e9)<\/li>\n<\/ul>\n\n\n\n
    Comment connaitre les grains de sel !<\/h2>\n\n\n\n
    $6$<\/mark>Q0mhKcxPG4EHxACp<\/mark>$NIKIQoJdxaO0ZR4OQ7FOfruPRO\/AQygtNPG2v47cxHaj2AsAFTzUFH87dqY1QsSLxHB4XRuhQNNhpa.CoeE06\/<\/mark><\/code><\/pre>\n\n\n\n
    $<id>$<salt>$<hash><\/code><\/pre>\n\n\n\n
    Donc maintenant avec openssl on peut v\u00e9rifier , le mot de passe avec le bon salage<\/p>\n\n\n\n
    etudiant@ordi:~\/Works\/crypt$ openssl passwd -6 -salt Q0mhKcxPG4EHxACp etudiant\n$6$Q0mhKcxPG4EHxACp$NIKIQoJdxaO0ZR4OQ7FOfruPRO\/AQygtNPG2v47cxHaj2AsAFTzUFH87dqY1QsSLxHB4XRuhQNNhpa.CoeE06\/\netudiant@ordi:~\/Works\/crypt$ <\/code><\/pre>\n\n\n\n
    on voit bien qu’on obtient le m\u00eame hash avec le m\u00eame salage ! c’est une bonne recette !<\/p>\n\n\n\n
    Sous nos debians , possible d’utiliser un hash SHA-512 sans probl\u00e8me, dans le fichier \/etc\/shadow <\/p>\n\n\n\n
    mkpasswd<\/h2>\n\n\n\n
    sudo apt update && sudo apt install whois<\/code><\/pre>\n\n\n\n
    g\u00e9n\u00e9rer des hashs <\/p>\n\n\n\n
    etudiant@AnduinOS:~\/Works\/crypt$ mkpasswd --method=yescrypt 'etudiant'\n$y$j9T$.AkHetG0xNgKo4eDdzO45\/$5IT.Qr9zXhCapzF75v9b84VdmmJ1JOK5FldDT2PcFu6\netudiant@AnduinOS:~\/Works\/crypt$ mkpasswd --method=yescrypt \"etudiant\"\n$y$j9T$aGUqz.JEQP1W4UX7ANyKb1$TnCcmnESAFbPvoAcSgV1pxuC5LmhrMHi5MiZfZeJVu2<\/code><\/pre>\n\n\n\n
    etudiant@AnduinOS:~\/Works\/crypt$ mkpasswd --method=sha-512 \"etudiant\"\n$6$MTnpxkNGS72.kKO6$ldUJm7YSP6kc2O31ldc9dXo6H8xAo\/CKoMj0MaINKcH\/JuXXguVLYkWmB8IausLdOQmfPs.SApKBk3nTkgvDs1<\/code><\/pre>\n\n\n\n
    \ud83d\udd0d Comparaison : yescrypt vs SHA-512 crypt<\/h2>\n\n\n\n
    Crit\u00e8re<\/th>yescrypt<\/th>SHA-512 crypt ($6$<\/code>)<\/th><\/tr><\/thead>
    S\u00e9curit\u00e9<\/strong><\/td>Tr\u00e8s \u00e9lev\u00e9e<\/td>\u00c9lev\u00e9e<\/td><\/tr>
    R\u00e9sistance GPU\/ASIC<\/strong><\/td>Tr\u00e8s bonne (r\u00e9sistant aux attaques parall\u00e9lis\u00e9es)<\/td>Moins bonne (plus vuln\u00e9rable au brute force GPU)<\/td><\/tr>
    Consommation m\u00e9moire<\/strong><\/td>Plus \u00e9lev\u00e9e (param\u00e9trable)<\/td>Faible<\/td><\/tr>
    Vitesse (temps hash)<\/strong><\/td>Plus lente (d\u00e9lib\u00e9r\u00e9 pour s\u00e9curit\u00e9)<\/td>Plus rapide (moins costaud)<\/td><\/tr>
    Adoption<\/strong><\/td>R\u00e9cente, support\u00e9e sur Debian 12+, libxcrypt<\/td>Standard historique, universel<\/td><\/tr>
    Param\u00e9trage<\/strong><\/td>Flexible (rounds, m\u00e9moire)<\/td>Round count configurable<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
    Comparer un mot de passe et son hash en C<\/h2>\n\n\n\n
    testmdp.c<\/p>\n\n\n\n
    #include <\/font><stdio.h><\/font>\n#include <\/font><stdlib.h><\/font>\n#include <\/font><string.h><\/font>\n#include <\/font><unistd.h><\/font>\n#include <\/font><crypt.h><\/font>\n\nint<\/font> main() \n{\n    const<\/font> char<\/font> *password = "etudiant"<\/font>;  \/\/ Mot de passe \u00e0 tester<\/font>\n    const<\/font> char<\/font> *hash = "$y$j9T$Pujdg7OJEBcONKuWJPl48.$rOHojUWdxPBka.S7GYinR68n82.t5Y\/NQ2kiQX4CJv0"<\/font>;\n\n    char<\/font> *result = crypt(password, hash);\n\n    if<\/font> (result == NULL<\/font>) {\n        perror("crypt"<\/font>);\n        return<\/font> 1<\/font>;\n    }\n\n    if<\/font> (strcmp(result, hash) == 0<\/font>) {\n        printf("\u2705 Mot de passe correct !<\/font>\\n<\/font>"<\/font>);\n    } else<\/font> {\n        printf("\u274c Mot de passe incorrect.<\/font>\\n<\/font>"<\/font>);\n    }\n\n    return<\/font> EXIT_SUCCESS<\/font>;\n}\n<\/pre>\n\n\n\n
    etudiant@ordi:~\/Works\/crypt$ gcc testmdp.c -o testmdp  -lcrypt\netudiant@ordi:~\/Works\/crypt$ .\/testmdp \n\u2705 Mot de passe correct !\netudiant@ordi:~\/Works\/crypt$ <\/code><\/pre>\n\n\n\n
    une fonction crypt existe en c <\/p>\n","protected":false},"excerpt":{"rendered":"
    Se cours expose les hashs SHA-512 et YESCRYPT dans le fichier \/etc\/shadow , on trouve le hash du mot de passe. on remarque ici que le fichier critique shadow , […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","_uag_custom_page_level_css":"","footnotes":""},"class_list":["post-1935","page","type-page","status-publish","hentry"],"yoast_head":"\nhash et mot de passe - workboot<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/workboot.fr\/ciela\/hash-et-mot-de-passe\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"hash et mot de passe - workboot\" \/>\n<meta property=\"og:description\" content=\"Se cours expose les hashs SHA-512 et YESCRYPT dans le fichier \/etc\/shadow , on trouve le hash du mot de passe. on remarque ici que le fichier critique shadow , […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/workboot.fr\/ciela\/hash-et-mot-de-passe\/\" \/>\n<meta property=\"og:site_name\" content=\"workboot\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-07T09:31:19+00:00\" \/>\n<meta name=\"twitter:label1\" content=\"Dur\u00e9e de lecture estim\u00e9e\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/hash-et-mot-de-passe\\\/\",\"url\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/hash-et-mot-de-passe\\\/\",\"name\":\"hash et mot de passe - workboot\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/#website\"},\"datePublished\":\"2025-07-07T07:52:51+00:00\",\"dateModified\":\"2025-07-07T09:31:19+00:00\",\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/workboot.fr\\\/ciela\\\/hash-et-mot-de-passe\\\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/#website\",\"url\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/\",\"name\":\"workboot\",\"description\":\"Open Source, Open Minds \",\"publisher\":{\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fr-FR\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/#organization\",\"name\":\"workboot\",\"url\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/logo_ciel-dorian-1.png\",\"contentUrl\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/logo_ciel-dorian-1.png\",\"width\":1024,\"height\":950,\"caption\":\"workboot\"},\"image\":{\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"hash et mot de passe - workboot","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/workboot.fr\/ciela\/hash-et-mot-de-passe\/","og_locale":"fr_FR","og_type":"article","og_title":"hash et mot de passe - workboot","og_description":"Se cours expose les hashs SHA-512 et YESCRYPT dans le fichier \/etc\/shadow , on trouve le hash du mot de passe. on remarque ici que le fichier critique shadow , […]","og_url":"https:\/\/workboot.fr\/ciela\/hash-et-mot-de-passe\/","og_site_name":"workboot","article_modified_time":"2025-07-07T09:31:19+00:00","twitter_misc":{"Dur\u00e9e de lecture estim\u00e9e":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/workboot.fr\/ciela\/hash-et-mot-de-passe\/","url":"https:\/\/workboot.fr\/ciela\/hash-et-mot-de-passe\/","name":"hash et mot de passe - workboot","isPartOf":{"@id":"https:\/\/workboot.fr\/ciela\/#website"},"datePublished":"2025-07-07T07:52:51+00:00","dateModified":"2025-07-07T09:31:19+00:00","inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/workboot.fr\/ciela\/hash-et-mot-de-passe\/"]}]},{"@type":"WebSite","@id":"https:\/\/workboot.fr\/ciela\/#website","url":"https:\/\/workboot.fr\/ciela\/","name":"workboot","description":"Open Source, Open Minds ","publisher":{"@id":"https:\/\/workboot.fr\/ciela\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/workboot.fr\/ciela\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Organization","@id":"https:\/\/workboot.fr\/ciela\/#organization","name":"workboot","url":"https:\/\/workboot.fr\/ciela\/","logo":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/workboot.fr\/ciela\/#\/schema\/logo\/image\/","url":"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2025\/05\/logo_ciel-dorian-1.png","contentUrl":"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2025\/05\/logo_ciel-dorian-1.png","width":1024,"height":950,"caption":"workboot"},"image":{"@id":"https:\/\/workboot.fr\/ciela\/#\/schema\/logo\/image\/"}}]}},"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false},"uagb_author_info":{"display_name":"admin","author_link":"https:\/\/workboot.fr\/ciela\/author\/admin\/"},"uagb_comment_info":0,"uagb_excerpt":"Se cours expose les hashs SHA-512 et YESCRYPT dans le fichier \/etc\/shadow , on trouve le hash du mot de passe. on remarque ici que le fichier critique shadow , […]","_links":{"self":[{"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/pages\/1935","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/comments?post=1935"}],"version-history":[{"count":9,"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/pages\/1935\/revisions"}],"predecessor-version":[{"id":1953,"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/pages\/1935\/revisions\/1953"}],"wp:attachment":[{"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/media?parent=1935"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}