Today, E-Crime Expert tries to help regular users understand (not the information security professionals), how HASH and SALT help protect their passwords in a database (e.g. online stores, web applications, email-service providers, online service providers, etc).
The HASH value is common for password authentication and security that stores only a “hashed” form of the plaintext password. When a user types in a password on a such system, the password handling software runs through a cryptographic hash (e.g. readable data like a name, transformed into a fixed-size bit string like a combination of random letters and numbers) algorithm, and if the hash value generated from the user’s entry matches the hash stored in the password database, the user is permitted access.
The password itself is not stored in a database but just the hash. Once the user enters the password in a database, the authentication software compares the user’s corresponding hash (for his password) to the exiting hash in the database. If they match, the user is granted access.
Cryptographic hash function: ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4
The above hash is the corespondent for the user’s password (which is never stored into the database)
Note: the hash string provided above is pure illustrative.
This information security technique is useful for staying protected against dictionary attacks (dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying likely possibilities, such as words in a dictionary).
When using cryptography for authentication purpose, SALT consists of random bits (random sequence of numbers and letters), creating one of the inputs to a one-way function (this function makes easy for an authentication software to recognize the legitimated sequence of numbers and letters attached to a password but hard for a hacker to guess these bits by inverting the letter and numbers string). The other input is usually a password or passphrase (which is hashed).
Usually the simple SALT comes before the HASH but when double SALTING there will be one SALT before the HASH (password transformed in a bit string) and another after the HASH.
HASH : ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4
aB1cD2eF3G + (HASH) ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4 =
aB1cD2eF3G ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4
Double SALTING: (SALT)
aB1cD2eF3G + (HASH) ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4 +(Different SALT) Ba23Dg54R9G =
aB1cD2eF3G ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4 Ba23Dg54R9G
Note: the HASH string and SALT provided above are pure illustrative
Without a SALT, a successful SQL injection (it is a code injection technique that exploits a security vulnerability in a website’s software to retrieve the database contents to the attacker) attack may yield easily crackable passwords. Because many users re-use passwords for multiple sites, the use of a salt is an important component of overall web application security. The benefit provided by using a salted password is also making a lookup table assisted dictionary attack against the stored values impractical.
SALT also makes brute-force attacks (the technique for checking all possible keys until the correct key is found in a database) for cracking large numbers of passwords much slower. Without salts, an attacker who is cracking many passwords at the same time only needs to hash (the random bit string) each password guess once, and compare it to all the hashes. Using SALT, each password will likely have a different bit; so each guess would have to be hashed separately for each SALT, which is much slower since hashing is generally computationally expensive.
Note: This Article is not intended to offer advice to information security professionals but to help regular readers/users understand how their passwords are protected when using online stores, online services, web-based applications, etc, by presenting a basic and general concept of these key features used for authentication security).
Any questions can be submitted to: firstname.lastname@example.org
Additional information can be found at: www.e-crimeexppert.com
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog