Live Chat
Same Certs
Cheapest Price Seal
Less Price

What is Password Salting: A Savory Way to Secure Your Secrets

What is Password Salting

I recently stumbled upon two reports that piqued my curiosity. The first is the  Imperva Bad Bot Report 2021. According to this report, 34% of login attempts are malicious bots. That is quite alarming. The second is Verizon’s 2021 Data Breach Investigation Report. According to the report, login credentials were the most sought-after data, accounting for 60% of all data breaches.

These and many other related reports are awe-inspiring. They teach us the essence of password security. This article enlightens one of the most critical elements of password security- password salting.

What is Salting a Password?

Password salting refers to a password protection technique that entails the addition of a string of random characters or integers before hashing them. This technique helps to enhance the complexity of passwords and force their uniqueness without increasing user requirements. The goal is to boost password strengths.

Usually, storing passwords in plaintexts in a database is one of the grave mistakes you can ever make. It is like keeping your company’s intellectual property in a file cabinet accessible to anyone who knows where to look.

How Does Password Salting Make your Passwords Safe?

Hashing a password without salting typically results in creating a hash value. But have you ever wondered what will happen when two people use the same password? Applying a hash function to two similar passwords results in two similar password hash values. This is a risky thing. Suppose one of the two passwords falls victim to a password attack; a hacker can easily fathom the corresponding hash values and leverage them in creating tables. But this will not be the case when passwords are salted.

Salting a password means one or more integers are added to the password. These integers are usually unique to every password input. It implies that even if two or more people have similar passwords, the resulting password hashes upon adding salt make them different.

Let us look at a practical example of how password salting works. Consider a salted password as shown in the image below.

Assuming you have used h@ckpr00f as your original password (as shown above). Adding salt to the original password creates a unique password completely different from hashes or any other identical password. No one, including attackers, can recognize the password once the salt is added.

Why Password Salting is Important

Salting a password achieved two major things. First, it ensures no direct connection between a password and a hash. Therefore, the original password will remain concealed if a hacker tries to decrypt a salted password. Secondly, salting a password prevents hackers who happen to access password hashes from discovering other accounts using similar passwords.

To learn more about the benefits of password salting, let’s compare three techniques for storing passwords and see which one is the most reliable from a security perspective.

  • Storing Passwords in PlainText- You can keep your passwords in their original format without hashing or salting. But this is the most insecure form of password storage as it is vulnerable to attacks. A simple brute-force attack can reveal the password, and hackers will be in your account within no time. Passwords stored in plaintext are susceptible to SQL injections and XML injection attacks, among many other forms of password attacks.
  • Hashed but Unsalted Passwords- Secondly, you can store passwords that are hashed but not salted. The process involves storing passwords with their hash value. But this technique is also insecure and prone to attacks. As I already mentioned, users can share identical passwords, leaving such passwords vulnerable to rainbow and dictionary attacks.
  • Storing Passwords in Salted Hashes- This technique involves storing unique hashes. The hash values cannot be reverse-engineered because of the required time and sheer processing power. Hashing salts prevents rainbow table attacks.

What Attacks Can Password Salting Minimize?

1. Dictionary attacks

A dictionary attack is a form of password attack where attackers use a predefined set of common words and their simple variations to try and crack a password.

Attackers will try out extensive words that range from common pet names, favorite football teams, or just words from the dictionary (hence the name dictionary attack).

They will also try changing the words (for example, the word password could appear as P@ssw0rd).

2. Credential stuffing attacks

A credential stuffing attack is a password attack where attackers leverage stolen or compromised passwords (user credentials) to bypass a system’s authentication process.

Credential stuffing attacks tend to be so automated and leverage bots, with the assumption that most users tend to reuse passwords across many platforms.

3. Database lookup attacks

This is a password attack type that involves hackers directing SQL attack statements to a website’s database to trick the website into giving out valuable information.

Valuable information in this regard might include passwords and other login credentials.

4. Brute force attacks

Brute force is a trial-and-error form of password attack. Hackers will try out several username-password combinations until they crack their way into an account.

They hope one of the combinations will work and grant them access to a victim’s account.

5. Rainbow table attacks

Salting passwords also helps to prevent rainbow table attacks. Rainbow table attacks refer to a password cracking method that uses a unique table to crack database passwords. A rainbow table is a hash function applied in cryptography to store sensitive data and information such as passwords and login credentials.

Famous Data Breaches Due to Unsalted Passwords

One should never underestimate the power and essence of salting passwords. Companies that have ignored the aspect of password salting have ended up victims of some of the most devastating breaches.

Here are a few examples of previous breaches that occurred as a result of unsalted passwords.

1. The Linkedin Data Breach of 2012

The LinkedIn data breach of 2012 compromised over eight million passwords. As it occurred, the passwords had been hashed but not salted. Attackers cracked the Linkedin hash and got away with millions of user credentials.

2. Adobe Password Leakage in 2013

Adobe leaked nearly 130 million passwords and login credentials. Although the passwords had been encrypted, they lacked a hash function, and neither were salted. Hackers found it easy to use brute force, rainbow and dictionary attacks to crack the passwords.

3. The Linkedin Password Leakage-2016

Barely four years after the first password leakage in 2012, Linkedin fell victim to yet another password attack in 2016. The second attack compromised over 117 million passwords. Like in the first breach, although the passwords had been hashed, they had not been salted.

Password Salting Tips and Best Practices

Here are a few tips you can employ to make the best use of password hashing and boost password security.

  • Every user or password has a unique salt. The good thing about having a unique salt for every password is that it helps to boost the computation power of the password and makes the passwords even hard to crack.
  • Salts should be stored in a different location from that of the passwords. Different storage locations make passwords withstand reverse-engineering attacks.
  • The salt and the output should at least be of the same length. Long salt values are preferred because they can withstand reverse engineering.
  • Ensure to include a secret key in the hash function. Adding the secret key to the hash function means that password validation cannot be done unless the secret key is known.
  • Avoid using systemwide salt. Such salts allow hackers to use hash tables to access passwords and aid them in compromising accounts.

Some Little Information on Peppering

We have talked about salting extensively. Remember, we used the analogy of salt as it seasons food to explain salting. But if you want to add some extra flavor to your food, you must go a little further and add some pepper. Peppering is another term that applies to cryptography and password security.

Peppering is a secret added to a password hash (like a salt). But unlike password salting, peppering entails secret (not unique) elements. Peppers are stored together with hashed passwords. It is, however, crucial to ensure they are stored in different locations from salts. A hardware security module would be a great storage location. We will cover more on password peppering in our subsequent posts. Please keep checking our site for updates.

Conclusion

You probably have read articles explaining best password practices, such as using strong and weak passwords. But it is essential to understand that password security does not end at simply using strong and unique passwords. Admins have a role to play in safeguarding stored passwords. Poorly stored passwords are susceptible to breaches.

The best strategy is to salt all passwords before storing them. This article has explained the concept of password salting in totality.

Recommended Reading : 

4.8/5 overall satisfaction rating

Based on 3888 ratings from actual customers

Customer Reviews
"Not a new customer just a new account due to a name change. Love your prices and service. Thanks for everything! Jimmy - Prestacarts Global Commerce"
Jimmy Ray Warren J / TX, United States
"I have to say your tech "Mike" went out of his way to help me setup the CSR for our SSL. I am not a techie, and Mike was extremely helpful and patient with me. You need to hire more support personnel like Mike! Great job Mike!! Thank you for all your help!! Jana"
Jana K
"Been using you guys for several years. Clean built website with a great UI/UX that lets me get to what I need to buy quickly. I couldn't ask for more. Thanks!"
Devin N
5 Star
80%
4 Star
13%
3 Star
3%
2 Star
2%
1 Star
2%