• Richard

You're the Salt to my Hash

On Valentine’s Day, we're reminded that often life's little (or sometimes not so little) struggles can be less difficult to cope with if we have someone with us to help us through them. Someone who works alongside us, has our back and who just seems to compliment us perfectly.


And it's with this in mind today that we're going to look at a couple called hashing and salting. And we'll see that when life gets tough for one, the other is right there to lift them up.


Password security


In general, passwords are stored on servers. When we enter our passwords into websites there needs to be something on the other side that the site can check with and say "Yes, what you have entered matches what I have stored here" or "Sorry, that does not match what I have stored here".


If the site has nothing to check against, it has no way of knowing if what you've entered is correct or not.


You can think of this as being like having your details checked by the concierge at that romantic restaurant you booked. If your details don’t match what they have they won’t let you sit down and eat.

Now, without hashing, those passwords would be stored in plain text. This is a huge problem. If the database containing those passwords is compromised and the plain text passwords leaked, they can be used just as they are to access the site.


This would be like someone leaning over the desk when the concierge is not looking and seeing all the details, and pretending they are a person on the list to get in.

So, to address this problem we use something called hashing.


What is hashing?


When you create a password on a website that uses hashing, the text you enter is converted using an algorithm into something completely different. We call this action ‘hashing’.


For simplicities sake, let's say you've chosen 'password123' as your password (but in reality, simplicity is never good when it comes to passwords, so please don’t use ‘password123’!).


A hashing algorithm will convert 'password123' into what looks like a long string of random text and numbers (although they are, of course, not random). We call this string the hash.

String

password123

Hash

EF92B778BAFE771E89245B89ECBC08A44A4E166C06659911881F383D4473E94F


Now, this string of text and numbers, rather than 'password123', is what the sites stores as your password. So, every time you type 'password123' in the password field to access the site, it performs the hashing function on what you entered and then compares your hash with what it has stored, and if they match access is granted. Imagine our tech savvy concierge now stores reservation details by encoding the list, this prevents simple attacks such as looking over the desk.

Password

password123

Stored Hash

EF92B778BAFE771E89245B89ECBC08A44A4E166C06659911881F383D4473E94F


Password Entered

Resulting Hash

​Match?

qwerty

65E84BE33532FB784C48129675F9EFF3A682B27168C0EA744B2CF58EE02337C5

passwordABC

EAA0F9A2A51706D01E8D18535B610653956EA2EB57060651FC32488CDE419011

ilovecats

81A103D766DE77D8A2224FBAB8294CC9E956C8224B30041C668CC98C205B8B82

password123

EF92B778BAFE771E89245B89ECBC08A44A4E166C06659911881F383D4473E94F


So why do we do this?


We all know that, sadly, breaches happen. Servers are maliciously hacked, or password databases may accidently be left open to the internet as result of misconfigured tools or servers.


However, if a site is hacked and the passwords are stolen all the hackers will have is the hashed version of the password. If they were to try to access an account using that hash in the password field, the hash itself would be encoded and the result of that would not match the stored hash and therefore access would be denied.


Why hashing needs salt


As we've seen, hashing is a great first step.


For a given algorithm, 'password123' will always produce the same hash. What this means is, once a hacker knows the hash value for 'password123' and, let's say, the top 1000 most common passwords, they now have a dictionary of hashes and their respective plain text passwords.


So, the previously useless hashes that were stolen from the website can be looked up in the hacker's new dictionary revealing the plain text password. This can then be used to access the site.

​Enter Search

​EF92B778BAFE771E89245B89ECBC08A44A4E166C06659911881F383D4473E94F


Hash

Password

65E84BE33532FB784C48129675F9EFF3A682B27168C0EA744B2CF58EE02337C5

qwerty

EAA0F9A2A51706D01E8D18535B610653956EA2EB57060651FC32488CDE419011

passwordABC

EF92B778BAFE771E89245B89ECBC08A44A4E166C06659911881F383D4473E94F

password123

81A103D766DE77D8A2224FBAB8294CC9E956C8224B30041C668CC98C205B8B82

ilovecats

I mentioned a dictionary of 1000 most common passwords, but in practice, attackers will have various dictionaries containing millions of password/hashes.


This leads us on to salting.


What is salting?


At this point, hashing alone is far too easy an obstacle for hackers to overcome. It needs something adding to it. And just like in cooking, this comes in the form of salting.


gif

We know that common passwords are far too widely used, and this makes generating a hash/plain text dictionary easy.


What if we make the password more complex regardless of what the end-user inputs?

Well, that's what salting does.


For better or worse the end-user has chosen 'password123' for their password. So, before it's hashed, a random string of text is added to it, and it becomes 'password123rkjsdfo47kbfs2'. The salt can be added to the beginning or the end of the password.

Password

Salt

Combination

password123

rkjsdfo47kbfs2

rkjsdfo47kbfs2password123

password123

rkjsdfo47kbfs2

password123rkjsdfo47kbfs2

An attacker will definitely have the hash of 'password123' in their dictionary, however they are far less likely to have the hash of 'password123rkjsdfo47kbfs2'.


The salt should be different for every password created. That way, if two people happen to have the same password, the added salt would still result in the two passwords having unique hashes.

Password Entered

Resulting Hash

​Match?

qwerty

65E84BE33532FB784C48129675F9EFF3A682B27168C0EA744B2CF58EE02337C5

passwordABC

EAA0F9A2A51706D01E8D18535B610653956EA2EB57060651FC32488CDE419011

ilovecats

81A103D766DE77D8A2224FBAB8294CC9E956C8224B30041C668CC98C205B8B82

password123

EF92B778BAFE771E89245B89ECBC08A44A4E166C06659911881F383D4473E94F

This also will prevent an attacker knowing that the same password has been used multiple times as every hash will be different.


It is very important to understand that the salting and hashing only protects the password if it is stolen from the site, it does not improve a bad password! If attackers input your email/username and guessed the password (whether manually or using a password-cracking dictionary), they would get access to your account. A strong password is needed to protect your account from being compromised, salting and hashing protects how it is stored by the site. For more information on how creating a strong password see our guidance here and our blog post here.


One final thought


While individually hashing or salting cannot accomplish the task of securing our passwords, together, working hand in hand, they become more than the sum of their parts and are able to rise to the challenge.


So, as well as password security, what else can we learn from hashing and salting this Valentine’s Day?


You don't need to go through life alone. The one who sticks by you, helps you out, builds you up may be a romantic partner, but not necessarily. We can all benefit from someone being there for us whether that's a partner, friend, family member, pet, community member or colleague.


Often, just like salting and hashing, we work better together.



131 views0 comments

Related Posts

See All