Password Security Using Encryption, Hashing, Salting and Pepper
Every day millions of people signup on various online websites like news sites, YouTube, social media, shopping, and more. They provide the site with their personal details like name, address, account details, and many more. All this detail has only one line of protection, the user password.
So, imagine how much damage a hacker can cause if he/she somehow gets access to one or more of these users passwords. The person will be able to add files, edit personal details, initiate transactions, and perform a lot of other malicious tasks. The hacker can even use the password to spread virus on your website.
Therefore, as a web designer, it is utterly essential that you take particular measures to prevent password thefts.
Therefore, in this article, we will have a look at the various methods that you can use to enhance the password protection of your website. Have a look:
What is Encryption and How it Works?
Encryption is the oldest way to protect important stuff from unauthorized. The Spartans used these techniques in 600 BC to protect their secret messages. They called it cryptography or the art of hiding information behind the unreadable text. Over time this technique evolved and gave birth to modern Encryption.
The CEO or WebEagle, Akram Artoul, revealed that the encryption methods had involved a lot since its origin time, but the central theory of the process is still very identical the ancient ways. You write the text you need and apply a cipher key to it. The cipher is like an algorithm which defines some rules to rewrite the plain text into code.
This generated code is unrelatable to the familiar words, so only a person with proper knowledge of the cipher can decode it.
To better understand the method, we will take an example of a simple word “Pelyia.” Let’s say its name of a user, and you want to encrypt it with the three place cipher. Here’s how you will do it.
P E L Y I A
You will take each of the alphabets separately and replace them with an alphabet that comes three places ahead of it. In case the third alphabet is beyond the last alphabet, you can start from the beginning. It will become:
S H O B L D
So, the encrypted of PELYIA becomes SHOBLD. The Coded text doesn’t have any meaning and has nothing to do with the main text. It means the password is safe until the hacker gets the cipher key.
Types of Encryptions
The experts like Akram Artoul state that encryption was a significant step toward password protection, but it had a severe drawback which compromised its security level. This process worked according to algorithms, which means a hacker with the knowledge of the ciphers can decrypt the data. It will take him/her time to try all the possible cipher algorithms, but it was possible.
So, the developer has to keep on changing the ciphers.
The following are the different types of algorithms that we are currently using:
AES — Advanced Encryption Standard
RSA- Rivest-Shamir-Adleman
ECC- Elliptic Curve Cryptography
PGP- Pretty Good Privacy
Hashing and Its Application
Hashing is a password protection algorithm which read and stores your passwords as a digital fingerprint. The method uses a combination of mathematical function to turn the text to an unreadable text of required length.
Let’s take the example of the same word, “Pelyia.”
In this case, we applied a common Hashing algorithm (SHA 160bit) to generate its encryption code. Here’s the code.
11C8BC2A01F1C3A7B3105CBB7D91FDA2AE5E46E8
No way, anyone can guess the exact text behind this text code without knowing the algorithm applied to it.
Another advantage of hashing is that unlike Encryption, it’s a one-way technique and work directly on the input data. It means that when a user inputs the password, the system will not read it like a text but as the encrypted text. This way, the primary password never enters the system storage; hence, there is no way to decrypt the encrypted code.
According to Akram Artoul and his team, this technique is pretty successful because you can always use different mathematical functions to generate the algorithms. Therefore, hackers will have no practical way to crack the codes. They have to depend on Brute Attacks or dictionary for accessing it.
Salting and Its Working
Hashing algorithms are much safer than the encryption ciphers, but they are not completely immune. The already stated the hackers could use dictionary, brute attack, or both to guess the password. Therefore, the developer came up with salt, an innovative to complicate the hashed codes.
In simple terms, salt is an external set of unique words or alphabets that the developers add to the hashed passwords. It helps them to change the hash value and hide the real value.
Let’s take the example of the hash we generated earlier:
11C8BC2A01F1C3A7B3105CBB7D91FDA2AE5E46E8
Now, you add a salt say “SALT” to it. Now this code becomes
11C8BC2A01F1C3A7B3105CBB7D91FDA2AE5E46E8SALT
The change may not seem much, but in terms of algorithms, it’s way more than you can imagine. WebEagle CEO, Akram Artoul says that the hash codes are very sensitive to values; it won’t accept login even is a single bit of information changes.
It means that even if the hacker gets access to the password database, he/she will be spending time and effort on codes with more than required values. So they will never succeed.
What Is Pepper Password Protection?
Another innovative approach to enhance password security is to add pepper to the passwords. The process is much identical to the salting technique, expect, here you and the unique text before hashing the password.
The working of this technique is simple since you added a set of words before the encryption; the end hash codes will not be the same as the actual password. It means that even if the hacker finds a way to crack the salted password; he /she will end up with a value that is close but not the actual password.
The pepper code is invisible, and only the administrator will have access to it, so the returned password will not do any good to the hacker. Hence, your network will remain safe and secure.
The Final Words
These are the main techniques that well-known firms prefer for their website. They believe that these encryptions can prevent hackers from getting the password, which is the easiest way to enter a network. Even the CEO of WebEagle, Akram Artoul, and his team of expert developers say that these techniques are the best security measure that a developer can take to protect the user information.
So, if you are planning to create an application or website, these are the techniques you must imply.
