Here we look at what salt and hash are, how they are generated, and how the technique protects passwords.
What is salting the hash
To understand salting the hash, we will look at salting and hashing individually, beginning with the hash.
What is hashing?
Hashing is a password encryption process that uses an algorithm to convert data of any size into a fixed length. The process is slightly different from encryption in that the process is one way. The resulting hash value, also referred to as a hash sum or hash code, cannot be decrypted or would require such a tremendous amount of computer power to do so that it would be infeasible.
What is salting?
Salting is the process of adding a unique value to the end of a password before hashing takes place. Salting the hash is crucial because it ensures that the encryption process results in a different hash value, even when two passwords are the same.
If salt is not added to the hash, then an attacker can make certain conclusions. For instance, if many hash values are the same, the attacker can determine that the server uses a default password for all new accounts or predict which password maps to a hash and gain access to all those accounts.
By salting the hash, you protect password lists against brute force attacks. A brute force attack is a technique where a cybercriminal uses a computer or several computers (botnet) to attempt every possible combination of numbers and letters until a password is found.
Here John and Becky have used the same password (12345), resulting in the same hash value.
- John: 12345 = 2cf249040ed759fg
- Becky: 12345 = 2cf249040ed759fg
By adding a unique salt value to the password, the hash value becomes unique.
- John: 12345+Q59f94g04fQx = 4cf949a401dg51dr
- Becky: 12345+R69b94Q63sr3 = 1dr2004a0zd15f3g
The salt added to the password needs to be unique for salting the hash to have the desired effect. If you add the same salt value, two of the same passwords will still result in two of the same hash values.
Generating a good random salt
To generate a good random salt, you must avoid reusing the same salt and using salt that is too short. Another common error is using the username as the salt because these are often reused and predictable, allowing attackers to use common tables and dictionary tables to conduct brute force attacks.
Your salt must be generated using a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) such as SecureRandom. These provide a high level of security, and the random salts are entirely unpredictable. The hashing process should be undertaken using a password hashing function such as scrypt, Argon2, PBKDF2, or bcrypt.
Salting the hash is a complex methodology, and their implementation should be left to security experts.
Is salting the hash a better way to store passwords?
- Yes – Salting the hash is better than storing an unsalted password. Hashing and salting are among the most secure ways to protect passwords without exposing them for future authentication.
Is salting the hash the best way to store passwords?
No – Cybercriminals can attack unsalted passwords using brute force attacks and dictionary attacks. Brute force attacks use every possible combination of numbers and characters. While they take time and a significant amount of computational power, the brute force attack will eventually be successful. Dictionary attacks use a file containing common passwords, phrases, and words, to attempt to make a match.
Mitigating Password Attacks
The most effective way to mitigate password attacks is to ensure you and your employees use a password manager.
To ensure strong password security and to highlight other potential vulnerabilities, your company should use a security company, such as OmniCyber. We conduct penetration test as well as various other cybersecurity services, to strengthen your defences and add an extra layer of security to your information security plan.