What Is Password Salting & How It Improves Password Security?

by | Jun 3, 2021 | Web Security

what is password salting

Password Salting Makes Your Logins Easier While Making Your Password Simpler, Stronger, Smarter & More Secure

Passwords should be kept private and protected. This is among the most fundamental rules of cybersecurity that almost every internet user knows about (at least in today’s world where a cyberattack isn’t anything new). You should always avoid storing passwords in plaintext as well.

The process of making a secure password is called salting. It’s one of the hashing processes that helps to keep your passwords protected from cyberattacks. For example an attack of 2012’s LinkedIn password breach.

What Is Password Salting?

Password Salting is a technique used to prevent cyberattacks, such as data breaches looking for passwords stored within a database. Password salting adds a string of 32 or more characters to the password and then hashes it. It’s among the most secure techniques to secure passwords that are stored for future authentication without exposing them to a breach.

Furthermore, it’s also essential that all the salted passwords get hashed multiple times for multi-layered protection. In other words, whenever you salt and apply recursive hashing, Rainbow Tables becomes useless and fails to crack any password.

Salting Password Achieves Two Important Things

There are two essential things you can achieve with password salting. which are:

  • Salting ensures that there won’t be a direct connection between hash and a password. Therefore, if an attacker tries decrypting your salted password, the original password remains hidden.
  • Salting a password prevents an attacker who gets access to password hashes from finding out an account that uses the same password.

Password Salting Is Similar to the Second Password

You can say password salting is similar to a second password without two separate passwords for accessing one account. In other words, password salting means two passwords equates to the user’s actual password combined with the salt to form a longer and more complex password. Furthermore, authentication systems store hashes of the password and not the password provided by the user in cleartext. Henceforth, salting proves very helpful.

Let’s understand this with an example…

Here’s How You Can Mitigate a Password Attack Using Salt

Let’s say there’s a user named User1 who has chosen the password P@!!swo$d. Now, the system will hash this provided password and store that hash within a database. Let’s say there’s a predefined hash that has 1234. Though, in reality, the hash is much longer and complex.

Although the password “P@!!swo$d” meets all the criteria and it’s strong, it’s not a secure password because it’s within the password dictionaries. However, salting can be helpful with this.

As mentioned earlier, salt is similar to the second password, and interestingly users aren’t aware of it. For example, $alt!ng is the salt, which won’t be available to the user.

Therefore, before the system hashes the password, it adds a salt similar to the second password. Henceforth, from within the system, the user’s password is stored like this, P@!!swo$d$alt!ng. Although, the user will be able to access the account using his password “P@!!swo$d”.

Once the password is salted, the system will hash that salted password, which means the system will create and store a hash based on that salted password “P@!!swo$d$alt!ng”. Unlike storing the default hash 1234 within the hash database, the system will store another hash 6789. It means the hash 6789 won’t be able to map to the user’s actual password. However, the real hash of the user’s password is 1234.

password salt example
Henceforth, it’ll become inconvenient for an attacker to compute a hash table for every user’s hash. Likewise, it’ll create a significant bottleneck for the attacker. In other words, salt is unpredictable and random that brings the attacker to a halt.

On the other hand, hashing has one issue. If anyone chooses the same password that someone else has already used, then both will have identical hash. Therefore, if hackers gain access to one hash database, they can use such identical hashes to find users who have similar passwords. Likewise, if hackers succeed in cracking one of these accounts, they will be able to gain access to other accounts with the same passwords.

Make the Most of Hashing with Salting

Some of the ways in which you can make the most of the hash by using salt include:

  • Make sure the salt is unique for each user and every single password. For instance, if you use ten different salts, it’ll increase the security of hashed passwords because it increases the computation required for generating lookup tables by a ten’s factor.
  • Avoid using usernames as salt values. For example, usernames are usually predictable and often used for multiple accounts for the users. Therefore, using usernames for salt values will not strengthen security. Furthermore, commonly used usernames such as “root” and “admin” will get looked up easily and can be used to crack password hashes.
  • Ensure every salt has a long salt value equivalent to the length of the output of the hash. For example, if the output size of the hash function is 256 bits or 32 bytes, then try making the length of the salt value of at least 32 bytes. Likewise, use specialized characters with long passwords, which will provide extra security required for user passwords.
  • Try to use a cryptographically secure pseudo-random number generator for salting values to hash passwords. As the name implies, these algorithms are cryptographically secure and generate unpredictable and random salt values.
  • Make sure that a secret key is added to the hash. So, you can validate the password if the known secret key is attached to it. Also, make sure the private key is kept in an external system such as a separate physical server. So, if any hacker tries to hack into the system, they will require access to an external key server to access the internal file systems.

Here’s the Main Reason for Salting Your Passwords

Let’s look at it with an example. For instance, you accept the user’s password and store within the database as plain text or send it over the network. Therefore, if any user enters a password that’s 6 to 8 characters long, then the hacker will be capable of producing pre-generated hashes of all the possible 6-to-8-character length strings. At worse, the hacker may even be able to deduce the password by comparing it with your hash.

But, let say if you append or prepend, for instance, 30 characters to a password and hash it, it’ll become quite difficult for hackers to pre-generate all the possible combinations of that range.

You Can Append or Prepend Salt to Your Password

Yes, it’s possible to append or prepend salt to your passwords. For example, pharma1980Z0O p1nd2mgm5m0 or p1nd2mgm5m0pharma1980Z0O both are valid salted passwords. And, once the salt is added, you can hash it. Let’s look at this in action:

Here’s How You Can Prepend Salt

Password: pharma1980Z0O

Salt: p1nd2mgm5m0

Salted Input: p1nd2mgm5m0pharma1980Z0O

Hash (SHA – 256): de8db0e10072c2963b894fb6346b9bef329e27e6dc594bad9444e13dac0c2b91

Here’s How You Can Append Salt

Password: pharma1980Z0O

Salt: p1nd2mgm5m0

Salted Input: pharma1980Z0Op1nd2mgm5m0

Hash (SHA – 256): 5a4b17608cc94767bf2491df6ba51dd6cc97e5c5241b5783d4fc79117d8eb375

It shows the importance of having unique salts. Results are different in both appending and prepending salts.
Now, let’s see one more example. Let’s see what happens when we append the salt to the password that two users utilize. In other words, if two different users utilize the same password, will the salted passwords be of the same values?

Let’s get into it.

Salting & Hashing Bob’s Password

User Name: Bob

Password: pharma1780p2R

Salt: p1nd2mgm5m0

Salted Input: pharma1780p2Rp1nd2mgm5m0

Hash (SHA – 256): f8d0dcc643f49cf3af4da06453e6700c65d7c976ae90b8e4e0f6e81f5c0017bc

Salting & Hashing Alice’s Password

User Name: Alice

Password: pharma1780p2R

Salt: z3me5ngm6m0

Salted Input: pharma1780p2Rz3me5ngm6m0

Hash (SHA – 256): 0480c95c96927342d62f22c3c342d67f8f3c72082c82c1155ae745b86f8eba78

Looking at the above results, we can say that even if two different users utilize the same password, the salt will be different and generate two separate hash values.

Conclusion – A Quick Recap of Salting

Following the top website security measures out there today is essential, and having strong passwords isn’t something that anyone should take lightly. But, equally, it’s important how you store your passwords on the server.

For instance, hashing your password is one of the vital aspects of securing your password. But today’s advancing online threats are capable of cracking hashed passwords. Therefore, to overcome this issue, salting passwords before hashing and storing them on the server is recommended. Lastly, a few other essential points that you should know about salt are:

  • Salts help create unique passwords, even if more than one user chooses to create the same passwords. Therefore, even if two users utilize the same passwords, the salted hash value will be different, whereas the same hash values are produced if the password is not salted.
  • Salting your passwords helps prevent attacks, such as hash table attacks, by forcing hackers to re-compute the hash values and using the salts for each user.
  • A cryptographic salt is made using random bits added to every password instance before hashing it, making your password strong and secure.