was reading another post and the example of using a salt was:
openssl passwd -crypt -salt foo bar
foXrpAKGo3142
but if I change the salt to
openssl passwd -crypt -salt foo111 bar, I still get
foXrpAKGo3142
is there a limit on the salt length? It seems to be 2 chars.
thx!
With the crypt algorithm, the salt limit is 12 bits. Other algorithms support longer salts; with openssl passwd, you should use -5 or -6.
See also How to find the hashing algorithm used to hash passwords?
The -crypt algorithm for openssl passwd is a legacy algorithm that should not be used anymore. It can be brute-forced at moderate cost. It's the traditional DES-based crypt() password hashing algorithm which was introduced in Seventh Edition Unix in 1979. It limits the salt to 2 printable ASCII characters, and the password to 8 printable ASCII characters. It has no practical value except for historical purposes or on extremely outdated (and insecure) systems.
Anyone using it in a code example either doesn't know what they're saying or doesn't care about giving good advice. If you see openssl passwd -crypt in an example of anything except very old, legacy usage, run away.
For password hashing, use, in order of preference:
OpenSSL only implements the Unix algorithms (openssl passwd -5 or openssl passwd -6, with -5 being slightly faster on 32-bit machines and -6 on 64-bit machines).
None of these use a ridiculously small (by today's standards) salt.
See also In 2018, what is the recommended hash to store passwords: bcrypt, scrypt, Argon2? and How to securely hash passwords?.
