Hey everyone!!!
Welcome back to the last part of Hashing & Salting subject where we are now going to learn about Salting. As we saw earlier hashing alone cannot provide security to our information, while we need something more to secure it. This is where Salting comes into the picture. So without any due let's get into our maze.
Salting
Salting is a process of adding uniqueness to the hashed strings without needing any user interaction, to mitigate the password attacks like hash tables(which we have learned in earlier posts). Just as salt provides taste to our food, this salting provides extra protection to our hashed strings.
Salting may seem like a step in a recipe, but when it comes to cryptography it refers to adding a piece of random data to the output of hashed string to make it unique even if the hashed outputs are the same. So, let's understand it better with an example, shall we:
String: Password!
Salt: L3tme!n
Salted input: L3tme!nPassword!
MD4 hashing: b2a7c6b2ecafbe36f3f6b04163f85029
This is how salting works, and the salt can be added before or after the string. So, let's take the part 1 scenario where we have two users using the same password and see how salting can help us out in this situation.
String: Password!
Salt1: L3tme!n
Salted input: L3tme!nPassword!
MD4 hashing: b2a7c6b2ecafbe36f3f6b04163f85029
String: Password!
Salt2: L3tme0ut
Salted input: L3tme0utPassword!
MD4 hashing: 60bc5b5a7395ebee6254e0dcd5e6f700
Voila! we have different outputs for the same input, and it is as simple as it looks. Different users, same passwords. Different salts, different hashes. Even if the attacker has the full list of passwords, they cannot find out that two users have the same passwords. If the user changes their password then a new salt should be provided.
But, can we have a simple random string as a salt? The answer is NO. We cannot have a simple string as salt. We need to have a string that is strong and hard to crack. We need to have different random strings as salts, but not the same salt for all passwords which will make the condition no better. So, we need to make sure that we have separate salts for each password or even for reset passwords. But, how and where do we store these salts? Well, the answer will be our database, but it cannot be publicly available. These can be stored in clear text in our database without any encryption as they are just used to add to the password and then hashed.
Common Salting Algorithms
It is not secure to use just hashing algorithms, wherein we can use functions that help boost our security. Some of them are Argon2, scrypt, bcrypt. Let’s learn a bit more about each of these.
Argon2: It is a secure password hashing algorithm. It is designed to have both a configurable runtime as well as memory consumption, which decides how long it takes to hash a password and how much memory is required.
scrypt: Designed in 2009, scrypt uses a large, yet the adjustable amount of memory in its computations. Its adjustable nature means that it can still be resistant to attacks even as computing power grows over time.
bcrypt: It is a password hashing function designed by Neils Provos and David Mazières. It is an adaptive function the iteration count can be increased to make it slower, so it remains resistant to brute force search attacks.
As we have seen so far, hashing and salting are two very important aspects of security and we cannot simply ignore them. But in the real world and as technology is getting complex and more powerful no method is secure and posses its own set of risks. But as far as we are concerned this is the best way to secure our passwords(at least for now).
See you guys next time. I would love to hear your feedback and improve myself. Check out my Instagram to get updates and tricks to find vulnerabilities.
Till then Take Care and Happy Learning 😄
Commentaires