What Is a Password Salt and How it increases security of Password Hashing?

Ideally What is salt "NaCL" or "Crypto Text" about CyberSecurity?

A crypto salt is a piece of random data added to a password before it is hashed and stored.

Adding a pinch of salt (Not NaCl but in crypto a random value) to stored passwords is a security process used alongside the hashing of passwords before they are stored. By adding salt to your application password, you can prevent even the strongest password attacks.

Hashing and salting of passwords and cryptographic hash functions ensure the highest level of protection.

Let's See How password hash works?

When a user registers and creates an account for the first time on a website, the user's password is fragmented into a different key string value using some mathematical function which is called hashing, and then it is stored in an internal file system(generally a DB) in encrypted form.

When the user logs on to the website later, the password they enter is again hashed and matched with the password hash stored in the database. If the hash matches, then eureka! the user is granted access. If hash verification fails, the user will be prevented from signing in to the website.

Hashing can be done by different hashing techniques, like MD5 Hashing, etc.

If it's secure, then what's the issue?

The hash tables are designed to be fast, but not secure, hence any hacker can use different tools available on the Internet to quickly recover passwords from these common hashes. Currently, there are many different ways to crack password hashes - these are:

1. Dictionary attacks
2. Brute-force attacks
3. Lookup tables
4. Reverse lookup tables
5. Rainbow tables.

On the server system, the hashed passwords will look like this

hash("StudyTonight") = 7DE682C3BB4B3E58F83F3C9A893A8C373CA0D71F58E79E1D81

hash("AbhiTonight") = 3E58F83F3C9A8933A0D71F58E79EA0D71F58E79EA0D71F58E79E

hash("StudyTonight") = 7DE682C3BB4B3E58F83F3C9A893A8C373CA0D71F58E79E1D81

So from the above example, it could be noted that the hash values of "StudyTonight" password users are identical.

Yes, for the same string value, the hash generated is always the same. But that is required because then only the system will be able to match the password values when the user logs in the next time.

Password Hashing with Salt

What you saw in the example above, was hashing the password string directly and that would give us the same hashcode always. Hence, if two different users enter the same password, they will get the same hashcode generated for their password.

But this can be avoided by adding a salt string with the password string.

What is Plain Text?

Plain text means that the string or text is available directly as plain text, without security, that is directly stored in the database.

For example, "StudyTonight" = "Studytonight"

If you have a database that contains passwords as plain text, you can read them the same way you can read the text on this page.

What is a Salt?

As we know, if two users choose the same password on Signup, the same hash code will get generated for them by default. If we convert the password text directly to hashcode, the attackers can break into the system by deploying programs to guess the password text.

Attackers use powerful precomputed computer tables that feed all possible values into a hashing algorithm. These tables are also available for purchase online. Using these tables, an attacker can look up a stolen hash value (such as a password) and perform a reverse lookup attack to find the original value.

Therefore, to add an extra layer of security, you need to add random text values to the user password text, to make it different every time. This random text value or random string value is called Salt.

For example, if you provide a password 'Studytonight', then the system generates a random string of let's say 5 characters and append it to your password and then generates the hash code. Yes, in the database, this salt is also saved, in a separated DB table generally, so that every time a user enters their password to log in, this string is added and then the hashcode is generated to match.

In this case, even if the database table containing the user account passwords is leaked online, attacker cannot convert the hashcode back to the original password.

If every user gets a unique salt on signup then this will protect the password from being reverse lookup for the hashed values.

For Example:

hash("StudyTonight" + "83F3") = B4B3E58F83F3C9A893A8C373CA0D71F58E79E1D81

hash("AbhiTonight" + "A8C3") = 9A8933A0D71F58E79EA0D71F58E79EA0D71F58E79E

hash ("StudyTonight" + "D71F") = B4B3E58F83F3C9A893A8C373CA0D71F58E79E1D81

So now we can see that for every user with the password "StudyTonight" there is a different hashed value.

In conclusion, Salt is added to passwords to increase its uniqueness to the hash process without increasing requirements at the user level and to increase its complexity to mitigate password attacks on hash tables.

Some points to better implement Hashing and Salting

• Salts help in creating unique passwords when two users choose the same password.

• Salts help mitigate hash table attacks by forcing attackers to recalculate them using salt for each user.

• Make sure the salt is unique for every user and every password.

• Salt enhances the security of hashed passwords by increasing the computational power required to generate the lookup table by a factor of ten using ten different salts.

• If the salt is stored separately from the password, it then adds complexity & also makes it difficult for a hacker to reverse engineer the password. However, for the highest level of security, use a unique salt generated for the same user each time he/she changes his/her password.

We hope this article clears your confusion around Salt and Passwords, how hashing works, and how you can build a strong system to prevent password leaks.