Hashing and Salting

Hello Everyone and welcome back. Today we are going to learn about Hashing and Salting, which is a very important yet interesting subject. So let's dive into our maze.

Ever wondered how our passwords are stored in databases. If your answer is just as we see it, then you are probably wrong in terms of security. Passwords should never be stored in plaintext. Instead, they should be stored by hashing them with the hashing algorithms. Again hashing simply doesn’t protect your credentials, we need salting to do the remaining work. So let's learn each of these two terms in detail.

Hashing

Hashing is simply a process of turning plaintext into a text of fixed size using some algorithm. Hashing is a one-way process, but still, technically it is reversible. It works in the way that you put any text of any size, it gives you a result with a fixed length. If you are using the SHA-256 algorithm for hashing, then whatever the text or string you give it, the output will always be 256 bits represented by a 64 character hexadecimal string.

It also doesn’t repeat the same hash string for any other input string. If it does it then it is not an effective algorithm. It is reported in 2016 that SHA-1 is not effective by Google.

So let's see the working of the hashing in a real-world example. You are signing up for a website you gave them your credentials and they have stored the following information the following way.

1. Username — Plaintext

2. Password — Hashed string

3. Email — Plaintext

So, now when you sign in to your account the username/email is checked and the password you provide is hashed using the algorithm and checked if it matches with the hash in the database. If both the hashes match matches then you are authenticated to your account. This is how hashing works.

But there is a problem with hashing. Before we discuss that, let's see some popular hashing algorithms we use and how they work.

1. MD4: The MD4- Message Digest Algorithm is a cryptographic hash function developed by Ronald Rivest in 1990. The digest length is 128 bits. Its security has been compromised against a full collision attack in 1995.

2. MD5: The MD5 message-digest algorithm is a cryptographically broken but still widely used hash function producing a 128-bit hash value developed by Ronald Rivest in 1991 to replace MD4. It is found to have serious vulnerabilities but still is used as a checksum.

3. SHA: The Secure Hash Algorithm is a family of algorithms. It is best known as the hashing algorithm used in most SSL/TLS cipher suites. Learn more about them here.

4. Whirlpool: Whirlpool is a hash function from the square block cipher family. Designed by Victor Rijmen and Paulo Barreto in 2000. It produces 512-bit hashes that are typically represented as 128-digit hexadecimal numbers.

5. RIPEMD: A family of cryptographic hashing algorithms with lengths of 128, 160, 256, and 320 bits. It was developed under the framework of the EU’s Project Ripe by Hans Dobbertin and a group of academics in 1996.

Some Examples of hashes using the same String.

String 1: Passw0rd!

String 2: 1234

MD4 :

1. 402843bdbae65ba572eb994938e10e8c

2. f375f401ddc698af533f16f8ac1e91c1

MD5 :

1. 47b7bfb65fa83ac9a71dcb0f6296bb6e

2. 81dc9bdb52d04dc20036dbd8313ed055

SHA2 :

1. a1d9a9e99e70ece06f6ef5782627cac869db9754ac6dfab01ff47900def77f581b562e6f82be47887ff9c0d58e2f0a622d396a472f07caea2ddaf83c77bff689

2. d404559f602eab6fd602ac7680dacbfaadd13630335e951f097af3900e9de176b6db28512f2e000b9d04fba5133e8b1c6e8df59db3a8ab9d60be4b97cc9e81db

SHA3 :

1. 6f3f5c366a106593759cca32c248094593c4f20dd50b1a0628adb1d8a0fa7112b63031a435510c4a6388bb3e34ca5005f7fe4cb4707e2baee5826fcfecfbafff

2. d760688da522b4dc3350e6fb68961b0934f911c7d0ff337438cabf4608789ba94ce70b6601d7e08a279ef088716c4b1913b984513fea4c557d404d0598d4f2f1

Whirlpool :

1. 0959abf30169ee33bb8991effe025295d9ef749c2085b192eb6d0d09b9690bb505b3d8b83edad9034ea0f4b957ed3f83c0ba5d5c3b09e8f3a176c0cb44e06c7a

2. 2f9959b230a44678dd2dc29f037ba1159f233aa9ab183ce3a0678eaae002e5aa6f27f47144a1a4365116d3db1b58ec47896623b92d85cb2f191705daf11858b8

RIPEMD :

1. cd22b456a3def9bc6fabc807c81a1858667e88aad1149bad98a8b559a69ec704846011e8a880157b

2. 66e546cf51187026124b6f25d64bcba03654a3a55e90c81bc10c4c771d5c704c53b6b6eda6362ce3

So no matter how long or short your string is, the output will be of the same length. Try yourself out and play with it using the CyberChef Tool.

Let's now see how it can be of disadvantage. Imagine there is a database and it contains information about users. Now there are two users who have the same password. So if we are hashing all the algorithms and saving them in the database if by any chance our database is compromised and the attacker has all the hashed passwords he can run a rainbow or dictionary attack(I am hoping to explain them in detail in my next post) on it and after he finds it, he can use the same password to get into another account. If the password is of admin or default password for confidential parts of the website, it can cause a lot more damage.

So to prevent this we use Salting which we will learn in our next post. I would love to hear your feedback and improve myself. Check out my Instagram to get updates and tricks to find vulnerabilities. And don’t forget to wait for my next post😄

Till then Take Care and Happy Learning!!!