With the rise in cybersecurity threats, having a strong, secure password has become more critical than ever. In fact, did you know that the key reason behind 80% of data breaches in 2019 was password compromise?
Even though “password-protected” electronic devices and accounts are considered safe, studies show that your personal and other highly confidential data are more susceptible to hacker attacks. This often happens when the users choose to use passwords that are relatable and easy to remember. Also, 65% of users tend to reuse passwords across multiple sites.
No matter how evolved your password generation technology is, the hackers are also getting smarter. This paves the way for better authentication mechanisms, like password hashing.
Password hashing can reduce the number of unauthorized access to your database by creating original passwords which are not leaked or available to the hackers. It basically means carrying out a non-reversible transformation of the plain password into a fixed-length alphanumeric string called hashed password.
For example,
hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
hash("hbllo") = 58756879c05c68dfac9866712fad6a93f8146f337a69afe7dd238f3364946366
hash("waltz") = c0e81794384491161f1777c232bc6bd9ec38f616560b120fda8e90f383853542
This can be done using hashing algorithms. These hashed passwords are stored in the authentication database. Whenever you log in, the entered password is hashed using the same algorithm and matched with the stored hash. If it matches, then you will be able to access the data.
Even though password hashing does solve one of the most common issues related to password security, it is not completely secure. Since we are using the same hash algorithm, one input will always produce the same output. This means if the hackers can crack the password of one account, they can access all other accounts bearing the same password, making your electronic devices and accounts vulnerable to a data breach.
The hashed passwords can be cracked with:
Cyber attackers use files containing common words, phrases, passwords that are most likely to be used as a password. And each word in the file is hashed and matched with the password hash to access the account.
Here, the attackers try out every possible combination of the password characters, up to a particular length. It is basically a trial-and-error to guess method.
In this method, the password hashes are pre-computed with a password dictionary. This will be stored along with their password in a lookup table data structure, using which you can carry out hundreds of hash lookups per second.
At first, the attackers will build a lookup table with the password hash of user accounts. Then another table containing hashes with guessed passwords is also created. Then these two are compared to guess the original password.
It is similar to the look-up table technique, but in this case, the lookup table is smaller, allowing faster password search.
This means that the security of the hashed passwords should be improved. And this can be done with salted password hashing.
Password Salt is the method of adding a random string to your password before passing it through a hash function. This string can be either appended or prepended. This will help in producing a unique hash value even for the same password.
For example,
hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
hash("hello" + "QxLUF1bgIAdeQX") = 9e209040c863f84a31e719795b2577523954739fe5ed3b58a75cff2127075ed1
hash("hello" + "bv5PehSMfV11Cd") = d1d3ec2e6f20fd420d50e2642992841d8338a314b8ea157c9e18477aaef226ab
This means that the attackers won’t be able to guess the salt or random string, and the various hash hacking methods like lookup tables, reverse lookup tables, and rainbow tables will not work this time.
The problem with the password salt is that the protection offered by it is limited. For example, suppose the hacker is hacking with a credential stuffing attack, which is the same as a brute force attack where the attacker will try out every possible combination of the password characters. In that case, the legitimate server will be carrying out salting and hashing. Thus, even the salting of passwords cannot help you from the inevitable data breach.
Also, if two users in an organization opt for the same password, there will be identical hashes. This means that if the hacker gains access to the hash database, they will be able to determine which users have identical passwords. And they will be able to hack into both the user accounts by cracking one. The same can happen if all the user accounts in an organization use a single-use single salt.
Therefore, while implementing password salt, make sure that you are using an entirely different random salt for each user account.
Another method similar to salting passwords is adding some pepper to them. Here, a secret key is added to the password before it is hashed.
In this digital era, where data has become so valuable, it is important to adopt technologies that can prevent critical data from falling into the wrong hands. And password salt is one of the most effective ways to make your passwords more safe and secure.