Passwords are the cornerstone of security, preventing unauthorised access to your network, applications, and customer accounts. One of the key challenges of password security is storing them. If you store passwords in a database as plain text, anyone who gains access to the database can read them, just like the words you’re reading right now. Salting the hash is a technique that protects against this vulnerability.
To understand salting the hash, we will look at salting and hashing individually, beginning with the hash.
What is hashing?
Hashing is a password encryption process that uses an algorithm to convert data of any size into a fixed length. The process is slightly different from encryption in that the process is one way. The resulting hash value, also referred to as a hash sum or hash code, cannot be decrypted or would require such a tremendous amount of computer power to do so that it would be infeasible.
What is salting?
Salting is the process of adding a unique value to the end of a password before hashing takes place. Salting the hash is crucial because it ensures that the encryption process results in a different hash value, even when two passwords are the same.
If salt is not added to the hash, then an attacker can make certain conclusions. For instance, if many hash values are the same, the attacker can determine that the server uses a default password for all new accounts or predict which password maps to a hash and gain access to all those accounts.
By salting the hash, you protect password lists against brute force attacks. A brute force attack is a technique where a cybercriminal uses a computer or several computers (botnet) to attempt every possible combination of numbers and letters until a password is found.
Here John and Becky have used the same password, 12345 (which we don’t recommend), resulting in the same hash value.
- John: 12345 = 2cf249040ed759fg
- Becky: 12345 = 2cf249040ed759fg
By adding a unique salt value to the password, the hash value becomes unique.
- John: 12345+Q59f94g04fQx = 4cf949a401dg51dr
- Becky: 12345+R69b94Q63sr3 = 1dr2004a0zd15f3g
The salt added to the password needs to be unique for salting the hash to have the desired effect. If you add the same salt value, two of the same passwords will still result in two of the same hash values.
Generating a good random salt
To generate a good random salt, you must avoid reusing the same salt and using salt that is too short. Another common error is using the username as the salt because these are often reused and predictable, allowing attackers to use common tables and dictionary tables to conduct brute force attacks.
Your salt must be generated using a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) such as SecureRandom. These provide a high level of security, and the random salts are entirely unpredictable. The hashing process should be undertaken using a password hashing function such as scrypt, Argon2, PBKDF2, or bcrypt.
Salting the hash is a complex methodology, and their implementation should be left to security experts.
Is salting the hash a better way to store passwords?
- Yes – Salting the hash is better than storing an unsalted password. Hashing and salting are among the most secure ways to protect passwords without exposing them for future authentication.
Mitigating Password Attacks
The most effective way to mitigate password attacks is to ensure you and your employees use a password manager.
To ensure strong password security and to highlight other potential vulnerabilities, no matter the size of your IT resources, your company should use a security company, such as OmniCyber. We offer penetration testing, Cyber Essentials certification, among other cybersecurity services, to strengthen your defences and add an extra layer of security to your information security plan.