Password Hashing: Add A Little Salt And Pepper

Salted-Password-hashing

The world of cryptography has revolutionized the safety of passwords. However, as technology evolves to reach greater heights, the hackers get smarter too.

A data breach in 2016, revealed 6.8M records. The surprising part is that 86% of these records were already available in a list of passwords that have been leaked in prior data breaches. So, should the service providers entirely disable the usage of such password combinations?

As an end-user, you are prone to using passwords that you are relatable to you, something that you can remember. Entirely unrelated sets of words cannot be remembered without making a note of it elsewhere. This task of noting down the password itself invites a breach of data.

Imagine remembering a combination of random letters, numbers, and symbols every time you create an account. This task takes a step back in providing customers with the best service.

Thankfully, you don’t have to go through this.

Password Hashing The Rescue

The world of cryptography has grown to curb the evils of cybercrime and continues to do so. Let’s understand how.

Password hashing rescues you from all the cumbersome tasks of coming up with original passwords that haven’t already been leaked and available on various platforms out in the open.

It allows you to have passwords containing only a few essential criteria as set by the service provider.

Password hashing turns your password into a completely different combination of alphanumerical sets. Also, it stores this newly obtained combination as your identity verifier—this allows for your password to never actually be stored.

How Does Password Hashing Work?

Password hashing is a process where a password of any size is fed as an input to a mathematical algorithm called hash function. This converts the password into a hash of fixed size, depending on the algorithm in use.

Simple example of password hashing:

Password: dontforget7
Hash (MD-5): 1ca7a2b9eae6524f8111e12ccae13996
Here, the algorithm used in MD-5.
MD-5 is a 32 digit, 128-bit algorithm, wherein each hexadecimal value represents four digits.

As you can see, the final output is nowhere similar to the original input.

When the user tries to log in, the entered password is hashed. If the output is the same as the stored hash then the user is deemed as legit.

Here, the final hash is not encrypted as only the value of hash provides little value to the hacker. This is one of the critical elements of password hashing. With just the hash value, the original password cannot be obtained as opposed to other encryption methods.

Other encryptions simply need a key-value to decrypt the password. This situation cannot occur in password hashing as it is pre-image resistant. This essentially means that just with the final hash value, the original value cannot be retrieved, password hashing is irreversible.

The Evolution Of Password Hashing

Password hashing solves one of the key aspects of password security. The password need not be stored as cleartext, which means when hackers tries to get a hold of an account,  all they see are random sets of alphabets and numbers, not the actual password.

However, password hashing is deterministic. This means one input will always provide the same output when passed through the same algorithm. If the password of one account is cracked, it enables the hackers to obtain access to all others containing the same password in the database.

This makes several accounts vulnerable, with no other security measures in place. Especially with several attack vectors in place, hackers can use many paths to break open an account.

Dictionary attacks use the most commonly used words, map them to their corresponding table of readily available hashed value to try the various passwords.

Brute force attacks bombard the system with several passwords until one of them finally breaks the account.

Rainbow tables, as pleasant and colorful as they sound, they are tables with several lists of password to compute the possible hash values. These, along with lookup tables and reverse lookup tables, can compute the possible original input much faster than brute force attacks. Even though rainbow tables take large amount of space, they pay off with the speed hackers can break open the account.

With all the troubles looming around for hashing, it became essential to enhance its security.

This is why the addition of security ingredients like salt and pepper became necessary.

Adding Salt To Your Passwords

Salted password hashing is the practice of adding a random value to your password and then passing it through a hash function. This value can either be appended or prepended to your password. The hash value obtained now is unique even of two users use the same password. The hash value is a combination of the two: hash (Salt|Password).

A simple example of salted password hashing:

Password: dontforget7
Salt: ghsjttn44n6
Hash (MD-5): 368add744d0efd445b0f170dbd54891d

Password: dontforget7
Salt: bvoejt46na
Hash (MD-5): b868bc8f55f0416616b10962fbbb27fa

As you can see, the two hash values are distinctly different from each other. The salt value is unique to every user and changes every time they reset their password. The value of the hash must follow the OWASP Guidelines.

Increase Your Security, Add Some Pepper

Another interesting way to make the password hashing more secure is to add pepper along with salt.

Pepper here refers to a secret key that is added to your password before it is hashed. The significance of pepper is not to simply complicate the process of deciphering. It is added to make deciphering passwords impossible.

Salt does not have to the encrypted. It can be stored in cleartext. However, when pepper is added it must be hashed too, and the security value is enhanced only if it is stored in a separate database. Because, if a hacker gets hold of your system, they can most likely get hold of your entire hard disk. The storage of pepper, after it is hashed, is the crucial aspect of adding pepper to hashing.

You Can Never Be Too Secure

Irrespective of how many ingredients you wish to add to the passwords to keep them far from the hackers, you need to have multiple security practices in place.

Along with salted password hashing with pepper, you can use password stretching. This increases the computation time for passwords, by making them undergo multiple iterations: hash(hash(hash(hash(Salt||Pepper||Password)))).

An efficient password manager, which allows you to have multiple layers of security with multi-factor authentication(MFA) is an added and must-have protective tool for security.

Technologies that can notify a change in a user’s behavior like time, location, IP address, and increase the level of authentication required to access the account provide intelligent solutions to today’s cybercrimes.

Adding symbols or numbers does not secure passwords, but instead, enriching them with flavors and layers of security do.

Leave a comment

You must be logged in to post a comment.