This article explains what is password salting and its importance. Also, details on how to salt your passwords and a comparison between password salting and password peppering.
What if I tell you Password Hashing is not that secure, and attackers have workarounds to attack hashed passwords as well? Harsh but true, however, the real question is what to do to make password-based authentication more secure if hashing passwords is not enough.
The answer is Password Salting, to make it much more difficult for attackers to crack the passwords, even if they manage to get access of the hashed passwords. Here is a quick efforts comparison between attacking salted passwords versus unsalted passwords:
Without the salt, an attacker could use precomputed hash tables or rainbow tables to quickly look up the original passwords for a large number of hashes.
With the salt, the process becomes much more time and resource-consuming as the attacker would require to compute the hashes for each password separately.
Overall, password salting helps to enhance the security of password databases and is suitable for applications that store user data and other sensitive information.
What is Password Salting?
Password salting is a process of adding random unique salt to passwords before hashing them. It is used to enhance the uniqueness and difficulty of generated password hashes. Before hashing the passwords, salts are added to either the end or the beginning of the original password value.
The purpose of this is to make it more difficult for attackers to use pre-generated hashes to crack a password - known as hash table attack. It also ensures that a unique hash value is generated for the same password.
Q: How long should a password salt be? A: Between 32 and 128 characters.
Why is Password Salting Important?
Password salting generates stronger hash values. While password hashing is used to enhance security of the password storage mechanism, but, it has a limitation of not generating unique hash values if the same password is used by users.
For example, if Tom and Bob both used techpass56 as a password, their hash values are going to be the same. This case limits the security posture of password hashing.
Salting passwords solves this problem as it makes the password unique by adding random data to it before hashing the password, which results in unique hash values.
The following are the example of password hashes:
Username Password Hash Value
Dave 02726d40f378e716981c4321d60ba3a325ed6a4c
Jorge 4e561f5e2a0f48a173d7f5438a0bf4606a50c4da
Mike c483248a78b05f49784dfff20d714750cb52d0d4
Wade 588b27b7843cc7aa435a83517913259047552662
Riley a394a6c070485dc90b0e0ab3454f5d2ed7939084
Robert c483248a78b05f49784dfff20d714750cb52d0d4
It is clearly visible by hash values that Mike and Robert have the same passwords and hence the same hash value - c483248a78b05f49784dfff20d714750cb52d0d4, which makes the authentication system vulnerable and attackers’ job easier.
How to Salt a Password?
To salt a password, append or prepend the salt (random characters) to the password value and then use a password hashing algorithm.
For example:
Password value is abc123
Salt value is saltQwoptyu@123
After appending or prepending the password salt, the password value will be abc123altQwoptyu@123 or altQwoptyu@123abc123.
The hashes of these passwords will be as follows:
Password with Salt Hash Value
abc123altQwoptyu@123 f32c23b2df9d4b4e368a953e090d8f5c2bc549aa59d61eb4516b3c1904b5b644
altQwoptyu@123abc123 921958c0baa412874c55589381546f11c097f59f186d71150a91725c5a66a112
How Salting Works When User Tries to Log In?
Generally, salt is stored in plain text format with a password hash in the database. Here is the course of actions that take place when a user tries to log in:
User enters the account password.
Application appends or prepends the salt to the password.
Combination of password + salt or salt + password is converted to hash.
The converted hash is verified against the already stored hash for the user profile.
If both hashes match, the user is logged in successfully.
Password Salting and Password Peppering: What’s the Difference?
Let’s first know what password peppering is - a pepper is a random value that is added to a password before it is hashed.
Although password salting and password peppering are similar techniques to add more characters to passwords before hashing them, the following are the major differences between both:
Salt is stored in the database in plain text, while in peppering, pepper value (random characters added to passwords when users create accounts) is not stored in the database.
When the user logs in, the salt is added to the password > converted to a hash > hashed value is verified to complete the login. While in peppering, the application has to run each combination of pepper value and password until the generated hash is verified against the one stored in the database.
Peppering makes password hashes more secure when compared to password salting. Even if attackers gain access to a password database, they will need to run hundreds times more iterations to decode a password hashed with random pepper as compared to a password hashed with salt value.
Password Salt Best Practices
The following are password salting best practices:
Use Unique Password Salts
As we have already discussed in the section above, each password salt should be unique so that it effectively tackles the use case of the same passwords. In such cases, using a unique password salt will create a unique password hash for each user. As a result, it will enhance authentication security.
Don’t Use Username or UserID as Password Salt
Usernames or user IDs are sometimes used as salt for creating the password hash. Although usernames or user IDs are unique, it is not a good choice to use them for password salting because password salts are stored in plain text, and in such cases, attackers can use the rainbow table to crack the password hash.
The bigger risk with this approach is that usernames are frequently reused—almost every website you visit has a user account with the name “super admin” or “admin”. Attackers can target easily using the rainbow tables aiming users with those common names much more straightforwardly and more efficiently.
Mitigate Password Attacks with Salting
Cybercriminals have created a wide range of techniques to get access and decrypt millions of hashed passwords. And such techniques just become better with each data leak.
In the absence of password salting, attackers can use dictionary, rainbow tables, and brute force attacks to decode the password hash. But with salting passwords, these attacks can be effectively mitigated.
Dictionary Attacks
It is a type of brute force attack that can be used to break into a password-protected account by attempting hashes of common passwords, phrases, or combinations and password hashes from past data breaches. Dictionary attacks rely on the commonly used words or passwords so using a good password salt policy helps mitigate the attack as it changes the hash value of those common and dictionary passwords.
Rainbow Tables
Rainbow tables are pre-computed databases of decrypted passwords. This allows an attacker to decrypt any hash they choose and then find the corresponding password that it corresponds with from the database. The attacker just needs to search the database to find the necessary hash. Rainbow tables expand with each data breach, much like dictionary attacks.
Brute Force Attacks
Brute force is the simplest method for cracking hashed passwords. It simply involves guessing every possible password combination and then hashing it through a known hashing algorithm. The brute-force attack is best suited for targeting short passwords and effective for long passwords.
Our Take on Salting
Knowing how to salt passwords is one thing, but understanding and implementing it alone with password hashing is difficult. So in our opinion, it’s best to leave this responsibility to reputable security solutions and suppliers. What does that mean?
It means using third-party identity and authentication solution providers who take care of all authentication needs, including password salting for you. As a result, making authentication safer for your application in lesser time and, at the same instance, not burdening your in-house team with more things to learn and execute.
How can Mojoauth Help?
You have already read our take on salting, but there is one more way to make authentication more secure and user-friendly. That way is utilizing password-free authentication methods on your application. This eliminates the need for learning and implementing any cryptography or encryption standards.
Also, going password-free provides a better experience for your application users. MojoAuth provides easy-to-integrate password-free authentication methods like email magic links, OTPs, biometrics, and passkeys that you can utilize for applications developed in any tech stack. It also takes care of security measures and compliances related to the authentication process.
Top comments (0)