One of the most fundamental rules of cybersecurity is that passwords should never, ever be stored in plain text. Most authentication mechanisms today rely on password hashing, but while hashing is certainly better than plain text, it’s not perfect. That’s where password salting (not to be confused with password spraying) comes in.
The idea behind hashing is really simple. Rather than storing a password in plain text, the password is processed by a mathematical algorithm that creates a hash of the password. It is this hash, not the password itself, that is stored in the authentication database. When a user logs in, the password he or she enters is hashed using the same algorithm as the one that computed the hash that is stored in the authentication database. If this hash matches the stored hash, then the user entered the correct password and is allowed to login.
With all that said, even a hashed password database can still be vulnerable to things like dictionary attacks and rainbow table attacks. One way to greatly improve password security is to add salt to the hash--otherwise known as password salting.
Password salting accomplish two main things.
First, a salt ensures that there is no direct tie between a password and its hash. If an attacker were to somehow decrypt a salted hash, it would not reveal the original password.
The second thing that password salting does (depending on how password salts are implemented) is prevent an attacker who has gained access to password hashes from determining if any of the accounts uses the same password as another.
Obviously, password salting can go a long way toward making your passwords more secure, but what is a salt and how does it work?
Password Salts Equal Second Password
I tend to think of a password salt as being like a second password. However, this doesn’t mean that there are now two different passwords that provide access to a user’s account. Instead, the two passwords (the user’s real password and the salt) are combined to form a longer and more complex password. Keep in mind, though, that authentication systems don’t store passwords in clear text. They store hashes of the password. This is why salting is so effective. Let me show you an example.
Suppose for a moment that a user named User1 has chosen P@ssw0rd as his password. The system would hash this password and store the hash in a database. Let’s pretend that the hash is 1234, although in reality hashes are much longer and more complex than this.
Although P@ssw0rd might meet all of your organization’s length and complexity requirements, it is not a secure password because it exists in several of the password dictionaries. So, with that in mind, let’s see how salting can help.
As previously mentioned, a salt is kind of like a second password. However, this second password is unknown to the user. Let’s pretend that the salt in this example is G0@way.
Before the system hashes the user’s password, it adds the salt to the password. From inside the system, the user’s password might now be P@ssw0rdG0@way, although, to the user, the password remains P@ssw0rd. The system creates and stores a hash based on the salted password (P@ssw0rdG0@way). This means instead of storing 1234 in the hash database, the system might instead store 6789. In other words, the hash (6789) no longer maps to the user’s actual password (P@ssw0rd). Remember, the user’s password in this example has a hash of 1234.
One of the big problems with hashing is that if two users choose the same password, they will have identical hashes. If a hacker gains access to the hash database, he or she can use those identical hashes to determine which users have passwords that are the same as one another. If the hacker manages to crack one of those accounts, he or she can gain access to the other account.
If an organization were to use a single salt for all accounts, then the problem of duplicate hashes would still exist. As such, many salting solutions use a different random salt for each user account. This means that even if two users have the same password, their salts are different, which means that the stored password hashes will be different in spite of the passwords being the same. And because every user has a different password salt, it is completely impractical for a hacker to try to compute every user’s password.
