Hashed and Salted Passwords

Information is key. Your information is important. In an interconnected world of instant information, we are often asked for our information at times to do things like to view a website, to like a post, to share a gif, or check a bank statement. Normally, to do the above we have to create account and login with our username/email and passwords. That information is then saved on the server, into the database, where hopefully it will be safe, at least until you forget your password. But how are passwords saved safely?

First I want to verify the difference between encrypting and hashing. Encrypting is a two way function, meaning it is reversible. So for example if a file is encrypted, it can also be decrypted. We see this often for like encrypting backups, with the intention of retrieving the backup back if needed. Hashing, on the other hand, is a one way function/mapping, and so it is not reversible. Also even if the input is only slightly changed, the resulting hash is completely different. Therefore, it would be very difficult to undo hashing, to obtain the original value thus applications use cryptonic hash functions to secure important user information like passwords.

hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
hash("hbllo") = 58756879c05c68dfac9866712fad6a93f8146f337a69afe7dd238f3364946366
hash("bananas") = e4ba5cbd251c98e6cd1c23f126a3b81d8d8328abc95387229850952b3ef9f904

So in other words, when you enter a password on the server is goes through a hashing algorithm that scrambles your password.

That looks good. Unfortunately, just hashing a password isn’t enough. With pre-computed hashes of passwords, one could easily lookup a hash and find the matching key value. So adding salt, or a random string, to the password before hashing makes the hash even more complex. This way even the same password will have a different hash.

hash("hello")                    = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
hash("hello" + "QxLUF1bgIAdeQX") = 9e209040c863f84a31e719795b2577523954739fe5ed3b58a75cff2127075ed1
hash("hello" + "bv5PehSMfV11Cd") = d1d3ec2e6f20fd420d50e2642992841d8338a314b8ea157c9e18477aaef226ab
hash("hello" + "YYLmfY6IehjZMQ") = a49670c3c18b9e079b9cfaf51634f563dc8ae3070db2c4a8544305df1b60f007

Some important things when it comes to salting is that the same salt should not be reused in each hash. If the salt is hard-coded or kept the same, then one could still look up passwords as the same passwords with the same salts will have the same hash. Salt should be generated using Cryptographically Secure Pseudo-Random Number Generators, which unlike functions like rand() are a high level of randomness and completely unpredictable. The other important thing about salting is that the salt needs be long enough. If the salt is too short then, it would be possible for one to make a lookup table for the salt too.

So passwords hashed with the SHA-2, Bycrypt, PBKDF2, Scrypt algorithms, just to name some, are also salted. Therefore, to break a password from so would require a brute-force attack, meaning trying every combination of possible characters.

Reference: wikipedia, crackstation, stackoverflow

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.