Password salting is an essential part of increasing your database security. Password hashes stored on your server can be vulnerable to bad actors utilizing dictionary and rainbow table attacks.
However, password salting can be an effective and vital way to minimize these threats. When companies fail to properly secure data, they put their organization at risk for devastating cyber-attacks, like the recent Montenegro cyberattack by Russia.
Enhancing Security for Your Organization
Password security doesn’t just have to involve picking a solid password or encrypting your passwords. Salting passwords is another excellent tool to use in conjunction with other types of password security. Salting passwords and hashing those passwords afterwards can be a more secure way of storing information on your servers.
Salting and hashing have many applications beyond passwords too. For example, you may generate large lists of personal identifying information for an email marketing campaign. Salting and hashing can store this data securely so hackers can’t access it. In the rest of this article, we’ll examine password salting and why it’s so critical for your cybersecurity.
What Does Password Salting Mean?
Password salting is used in conjunction with hashing. When you salt a password, you add random integers and strings to every password before you hash it. A salt is a randomized, considerably large value generated when you use a secure random number generator or random bit generator. Salts get stored with each password hash value on your server, thus creating unique hash values for passwords.
What is Hashing?
Hashing is taking an input and then converting it into a randomized string of an identical length. Hashes allow you to conceal the extent and information contained in the original input value. This enables you to verify data and secure your passwords against different types of attacks.
For example, dictionary attacks, which look for specific words frequently used in passwords, are ineffective against hashed passwords because the password input becomes randomized by the hash. Hashes can also be used for the secure storage of cryptocurrency because they can add another layer of encryption to passwords used for your crypto wallet accounts.
Combining Salting and Hashing
At the bottom, salted password hashes are more secure than plaintext passwords or unsalted hashes because they combine the strength of salting with the resilience of hashing. Hackers won’t be able to look through your database for passwords or their corresponding hash values that coincide with common or shared passwords. Finally, salted password hashes are too impractical and unwieldy to determine on a case-by-case basis.
For example, a typical password might be “12345password”. When you add a randomized salt to the plaintext password, the result would be “x$912345passwordN~j” for one user. But, because the salt is randomized, it would be different for another user who used an identical password. Once hashed, the resulting strings would both be unique.
It’s essential that bad actors can’t discern the salt that’s been used, so this is why salts should be unique and randomly generated before they’re hashed. The goal is to create a hash that would be too labor intensive and difficult to calculate each password using individual salts.
This prevents bad actors from utilizing scripts and AI to crack your hashes and salted passwords. When used in conjunction with other cybersecurity principles, like two-factor authentication, encryption, and password best practices; salted password hashing makes your databases even more secure.
How Password Salting Can Make a Stronger Hash Value
In an ideal world, users would create strong, unique passwords and passphrases for their accounts. However, in reality, most people don’t use password best practices. Users frequently use common passwords, reuse passwords across devices and accounts, and even share their passwords.
Let’s take a look at a quick example of how an MD5 hash can impact a common password. If we hash the password, “admin,” we get: 21232f297a57a5a743894a0e4a801fc3. If two users both used “admin”, they would have identical hashes without salting.
If we add a randomly generated salt string, “E4OAovh7rb” to the password, the new hash we get is: 24e231fcd0b20b0e3fd3dccf8b160c29.
If one user’s hash or salt gets exposed, the damage is minimized because all of the salts will be unique, even if the passwords aren’t. This can be a great way to secure email passwords.
Any given input will always return the same hash value, so this means that “admin” will always return 21232f297a57a5a743894a0e4a801fc3 when you utilize the same hash function. Changing the string at all will result in a totally different hash value. Salting is helpful because it opens up the potential for unique hashes to be generated. Today, many CEOs and other business leaders are concerned about cyber defense and how to manage cyberattacks against their companies.
Salting and hashing aren’t the only way to enhance password security, however. In the next section, we’ll explore peppering, a related methodology for creating unique hash values.
Password Salting versus Password Peppering: What’s the difference?
Salting and peppering are related terms in cryptography, and although they may sound interchangeable -- they are not. Salts and peppers are both values that can be added to password strings before they’re hatched to create unique hash values. Peppers work similarly to salts, except that peppers utilize a secret value that is reusable. Since peppers are reusable, you should avoid storing them alongside password hashes in your database.
When you utilize peppers, they should be organized so that they can be rotated regularly, and multiple peppers should be stored. Newer passwords and passwords that are being changed should use the latest pepper and then hash that pepper using a cryptographically sound hash function like MD5 or SHA256. This can then be stored in your database next to the salt so that later logins can determine which pepper was last used.
However, you should avoid using peppers in conjunction with salts because salts are not personal values, so they can appear in the final hash value output.
How Does Hashing Secure Passwords?
Hashing is a type of cryptography that takes plaintext strings and converts them into a fixed-length string of random characters. Hypothetically, you could copy and paste the entire text of the U.S. Constitution into a hash, and the resulting hash would be the same length as a weak password, like “admin.”
Security experts utilize hashing as a way to confirm if input is altered after it’s been processed. Hashing is utilized in conjunction with digital signatures that are used to create a digital identifier for organizations, users, or individuals related to the data. The combination of digital signatures and hashes helps ensure that data is authentic and that it comes from the person it claims to.
When you create a hash, the process is, for all intents and purposes, impossible to reverse. Even with today’s computers, it takes too long and too many resources to reverse engineer a hash back to its original input.
Significantly, hashes differ from encryption, which is used to transmit data between two sources. Encryption is often used when sharing sensitive information, like verifying patient information between a doctor and patient. Encryption, at its most basic, is the process of generating secure data that can later be decrypted using a special private key.
The Bottom Line: Why You Should Use Password Salting for Improved Password Security
When you utilize salted hash values for database security, you ensure that the original plaintext passwords are never uploaded to your server. This protects passwords against dictionary and rainbow table-type attacks.
It also limits the accessibility of passwords and prevents employees and bad actors from accessing them. By utilizing salted password hashes, you’ll be increasing security and helping to better protect valuable data.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.