)
)
Contents:
Creating a good password can do a lot to protect your data in case of a data breach. However, even if you create a 20-character random password with symbols and numbers, at some point, the security of your credentials is out of your hands. It all depends on how the service provider stores your passwords.
Unfortunately, even the strongest passwords can be cracked easily if they’re not properly protected. This is because identical passwords produce identical hashes under traditional hashing techniques, which — it goes without saying — makes them vulnerable.
This is where password salting comes to save the day. Essentially, it’s an additional security measure designed to help protect your stored passwords against cyber attacks. But what exactly is a password salt, and how does it enhance the security of your passwords? Let’s dive in and find out.
What is a password salt?
Usually, your passwords are not kept in plain text. Before being stored in the website’s database, they undergo a process called password hashing, which transforms passwords into a random string of characters with a set length. Every time you log into your account, the password is processed through the same one-way hashing algorithm. The outcome is then compared to hashes in the database, and if they match, you are granted access to the account.
While it may seem like a safe way to store passwords, there is a problem. If two passwords match, their hash is identical, which makes it easier to crack. This is where password salting comes in to save the day. A password salt is a random bit of data added to the password before it’s run through the hashing algorithm. A password salt is different for every user, which makes hashes assigned to each password unique as well.
How does password salting work?
Imagine your password is “yellow.” If another user has the same password, the hash output will be the same. But if you add a few random characters to both, you get two different passwords —”yellow#1Gn%” and “yellow9j?L”— with completely different hashes. That’s precisely what sites leveraging password salting do.
)
What types of attacks can be mitigated by password salting?
Cracking a password is basically a guessing game. Hackers try to come up with the right character combination and — if the password is hashed — employ powerful computers to do the work for them. There are three main ways to break a hashed passwords:
Brute-force
Brute-force could be called the most simplistic method to crack hashed passwords. Just as the name implies, it’s just guessing every possible password combination and then running it through a computer program that tries its almost infinite combinations. Once you get a match, you know the original password. Brute force is one of the main reasons your passwords should contain at least 12 characters: brute force attacks usually work best on shorter passwords. The longer passwords are, the more computational power it takes to crack them.
Dictionary attacks
Dictionary attack is a more sophisticated version of brute force. Instead of random guessing, the computer tries the most common password words and character combinations. This is why dictionary attacks get better with every data breach — each time criminals learn more about how we create our passwords.
Rainbow tables
A rainbow table attack is a variation of a brute force attack, in which hackers employ rainbow tables — pre-computed databases of decrypted hash passwords — to break the password hashes in the database. Hackers search through their rainbow tables to find the desired hash. Just like with dictionary attacks, rainbow tables become more successful with each data breach.
Best practices for salting passwords
A robust password salt is quite similar to a strong password: it should be unique, long, complex, and impossible to predict. Here’s what to do to make sure your password salt is reliable:
Make it random: Never use the dictionary words or users’ names as password salt.
Make it complex: Mix uppercase and lowercase letters, numbers, and special characters such as & @ #.
Make it long: Ideally, the length of a password salt should equal the hash output.
Avoid reused salts: A secure password salt is used only once. A new salt should be generated whenever a user changes a password or creates a new account.
Keep the hashes safe: Store the hashes and their corresponding salts in a secure, encrypted format. It is crucial to use robust security measures to protect the database where the salts and hashes are stored to prevent unauthorized access.
Common mistakes to avoid when salting passwords
A password salt can be a way to greatly improve overall security. However, it is important to keep in mind that there are common pitfalls that can undermine the effectiveness of this strategy. Understanding these mistakes is critical if you wish to implement a salting strategy that works. Here are some of the most common mistakes to avoid when salting passwords.
Short, predictable hashes
While salting adds an extra layer of security, the strength of the final hash still matters quite a bit. If the hash is too short or simple, it weakens the overall security of the password storage. Think of it this way: a short hash limits the number of possible hash values, which in turn makes it easier for bad actors to use brute force methods to crack passwords. The same logic applies to simple and predictable hashes. When salting, be sure that the hashing algorithm you choose produces a long and complex output.
Reused hashes
One of the foundational principles of using password salts effectively is uniqueness; each password should have its own unique salt. Reusing hashes across different records is essentially the same as using the same password across multiple sites and services. Reuse of hashes allows bad actors to use techniques like rainbow table attacks in a very efficient way.
Open-source database
While relying on an open-source database for password storage can have its advantages, it is critical to realize that without further security configurations such a database could be a goldmine for cyber crooks. Bad actors more often than not are familiar with common setups of open-source databases and can easily explain known vulnerabilities. So, if you are – or plan to — use an open-source database, make sure to implement strong security measures, customize settings away from defaults, and finally, keep the software up-to-date.
Best practices for password security
Creating strong and unique passwords
The groundwork for great password security starts with creating strong passwords for every account. A strong password should be at least 12 characters long and include a mixture of upper and lower-case letters, numbers, and symbols. Unique passwords are important because they ensure that even if one password is compromised, the other accounts will remain safe.
Enabling multi-factor authentication in password security
Multi-factor authentication (MFA) adds an extra layer of security by asking users to provide two or more verification factors to access their accounts. In most instances, MFA combines something you know (your passwords) and something you have (your smartphone, a tablet, etc.), and in some cases something you are (biometric data such as fingerprint, face). MFA greatly reduces the risk of unauthorized access even if the password is compromised.
Educating users about password hygiene
People need to be aware and clearly understand the risks associated with weak passwords. They should also realize why best security practices such as not reusing passwords on different sites, and having a password manager for your sensitive data can take the security load off their shoulders. Educational initiatives can help reinforce the importance of good password hygiene.
Integrating password salting into organizational security policies
Password salting should be a part of your company’s wider security strategy. Organizations should take the steps and implement policies that require password salts to be unique for each user and ensure that they are stored securely.
Using a reliable password manager
A reliable password manager such as NordPass can greatly improve your life online. Tools like NordPass provide secure storage for your passwords as well as other sensitive data such as personal info, credit cards, and files. For organizations, a password manager such as NordPass Business can greatly improve the overall security posture, get the organization closer to compliance, and generally decrease the risk of unauthorized access.
FAQ
Password salting adds a random string, otherwise referred to as “salt,” to a password before it is hashed. For example, if your password is “sunshine,” a salt might be "G7^Xth,” making the hashed password “sunshineG7^Xth.”
Theoretically, with enough computing and power, cracking a salted password is possible. Password salting primarily fends off precomputed attacks, like those using rainbow tables.
A salt should typically be at least as long as the hash output. For many hashing algorithms, a salt length of 16 characters is common.
Salting improves the security of weak passwords by making them unique; however, salting does not compensate for the lack of complexity. Having strong, complex passwords is still critical.
Hashing converts a password into an irreversible, fixed-size string. Salting adds a random piece of data to the password before hashing, preventing identical passwords from producing the same hash and enhancing security.