Creating a good password can do a lot in protecting your data in case of a data breach. However, even if you create a 20-character random password with symbols and numbers, at some point, the security of your credentials is out of your hands. It all depends on how the service provider stores your passwords.
We talked before about why it’s bad to keep passwords in plain text — to meet even the most basic security criteria, they must be hashed. But it’s a constant cat and mouse game between hackers and cybersecurity experts. With each data breach, criminals get better at cracking hashed passwords, so cryptographers now use an additional security measure — salts.
What is a password salt?
Your passwords usually aren’t kept in the plain-text form. When you’re logging into your account, the password runs through a one-way hashing algorithm. This way, it turns into an unrecognizable, completely different string of characters. That string is then compared to the other hashes in the database, and if they match, you get to access the account.
While it may seem like a safe way to store passwords, there is a problem. If two passwords are the same, their hash is identical, which makes it easier to crack. This is where password salting comes in. A password salt is a random bit of data added to the password before it’s run through the hashing algorithm.
Imagine your password is ‘yellow.’ If another user has the same password, the hash output will be the same. But if you add a few random characters to both, you get two different passwords —‘yellow#1Gn%’ and ‘yellow9j?L’ — with completely different hashes. But how does it make them harder to crack?
Attacking unsalted passwords
Over the years, cybercriminals have developed a myriad of ways to break in and crack millions of hashed passwords. And with each data breach, those methods only get better. There are three main ways to break a hashed password without salt encryption.
Brute-force. Brute-force could be called the most simplistic way to crack hashed passwords. It’s just guessing every possible password combination and then running it through a hashing algorithm. Once you get a match, you know the original password. Brute force works best with shorter sets of characters. The longer passwords are, the more computational power it takes to crack them.
Dictionary attacks. A dictionary attack is a more sophisticated version of brute force. But instead of completely random guessing, the computer tries the most common password words and character combinations. This is why dictionary attacks get better with every data breach — each time, criminals learn more about the way we create our passwords.
Rainbow tables. Rainbow tables are pre-computed databases of decrypted hash passwords. So a hacker can simply search through the database to get the desired hash. Just like with dictionary attacks, rainbow tables grow bigger with each data breach.
Mitigating Password Attacks with Salt
So how do security experts actually fight these attacks? First and foremost, by using the latest and most secure hashing algorithms. Hashing functions like MD5 and SHA-1 are generally considered to be crackable — bcrypt and SHA-2 are safer choices. The latest algorithms hash passwords numerous times, which makes them more difficult to crack.
On top of secure functions, using a salted hash is a must. A salted password hashed through a secure algorithm is nearly impossible to break. However, this is not to say that your passwords are completely safe. You can’t be 100% sure how your service providers store passwords. So always follow the best security practices — create truly random passwords, never reuse your credentials on different accounts, and change your password immediately following a data breach.