Home > Authentication, Awareness, Cybercrime, Data Protection, Information security, Internet, Privacy > Password Authentication security: using HASH and SALT

Password Authentication security: using HASH and SALT

E-Crime Expert presented sometime ago, a video tutorial (click here) on how to create strong passwords. That material it was addressed to regular users.

Today, E-Crime Expert  tries to help regular users understand (not the  information security professionals), how HASH and SALT help protect their passwords in a database (e.g. online stores, web applications, email-service providers, online service providers, etc). 

I. HASH

The HASH value is common for password authentication and security that stores only a “hashed” form of the plaintext password. When a user types in a password on a such system, the password handling software runs through a cryptographic hash (e.g. readable data like a name, transformed into a fixed-size bit string like a combination of random letters and numbers) algorithm, and if the hash value generated from the user’s entry matches the hash stored in the password database, the user is permitted access.

The password itself is not stored in a database but just the hash. Once the user enters the password in a database, the authentication software compares the user’s corresponding hash (for his password) to the exiting hash in the database. If they match, the user is granted access.

Example:

                                    Password:        Dan

Cryptographic hash function:       ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4

The above hash is the corespondent for the user’s password (which is never stored into the database)

Note: the hash string provided above is pure illustrative.

This information security technique is useful for staying protected against dictionary attacks (dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying likely possibilities, such as words in a dictionary).

II.    SALT

When using cryptography for authentication purpose, SALT consists of random bits (random sequence of numbers and letters), creating one of the inputs to a one-way function (this function makes easy for an authentication software to recognize the legitimated sequence of numbers and letters attached to a password but hard for a hacker to guess these bits by inverting the letter and numbers string). The other input is usually a password or passphrase (which is hashed).

Usually the simple SALT comes before the HASH but when double SALTING there will be one SALT before the HASH (password transformed in a bit string) and another after the HASH.

 Example:

          Password:    Dan

              HASH :      ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4

Adding…SALT:     (SALT) aB1cD2eF3G + (HASH) ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4  =  aB1cD2eF3G ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4

Double SALTING:   (SALT) aB1cD2eF3G + (HASH) ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4  +(Different SALT) Ba23Dg54R9G = aB1cD2eF3G ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4   Ba23Dg54R9G

Note: the HASH string and SALT provided above are pure illustrative

Without a SALT, a successful SQL injection (it is a code injection technique that exploits a security vulnerability in a website’s software to retrieve the database contents to the attacker) attack may yield easily crackable passwords. Because many users re-use passwords for multiple sites, the use of a salt is an important component of overall web application security. The benefit provided by using a salted password is also making a lookup table assisted dictionary attack against the stored values impractical.

SALT also makes brute-force attacks (the technique for checking all possible keys until the correct key is found in a database) for cracking large numbers of passwords much slower. Without salts, an attacker who is cracking many passwords at the same time only needs to hash (the random bit string) each password guess once, and compare it to all the hashes. Using SALT, each password will likely have a different bit; so each guess would have to be hashed separately for each SALT, which is much slower since hashing is generally computationally expensive.

Note: This Article is not intended to offer advice to information security professionals but to help regular readers/users understand how their passwords are protected when using online stores, online services, web-based applications, etc, by presenting a basic and general concept of these key features used for authentication security).

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog

Advertisements
  1. May 1, 2013 at 04:30

    I really like your blog.. very nice colors & theme.
    Did you create this website yourself or did you hire
    someone to do it for you? Plz answer back as I’m looking to construct my own blog and would like to find out where u got this from. kudos

  1. April 4, 2013 at 19:26

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: