password-key

Salt, Pepper, and Hashing: Three Ingredients to Secure Passwords

Our password travels on a boat in an open ocean that everyone has access to. Therefore we must secure that boat as well as possible. In this article, I will show you how this boat ( your password ) is secured from hackers in an open ocean of the internet.

How Does Your Password Travel Over the Internet?

password-over-internet

Before diving into the techniques that keep your password secure, let’s understand how it travels over the internet. When you create an account on a website, your password is encrypted and sent to the server for storage. This process involves transferring your password through various networks, making it susceptible to interception by attackers.

When a user enters their password on a website or an application, several steps are taken to ensure its security during transmission over the internet:

Below are the Steps of How your password Travels over the internet

  1. Encryption: The first step in the process is to encrypt the password. Encrypting a password means converting it into a long string of random characters that can later on be decrypted, to get the same password as before.
  2. Secure Socket Layer/Transport Layer Security (SSL/TLS): To establish a secure connection between the user’s device and the server, websites and applications use SSL/TLS protocols. SSL/TLS encrypts the data transmitted between the user and the server, including the password. This encryption ensures that even if someone intercepts the data, they won’t be able to decipher it.
  3. Hashing: Once the encrypted password reaches the server, it is commonly stored in a hashed format. Hashing is a one-way process that converts the password into a fixed-length string of characters. The hash function takes the password as input and generates a unique output, known as the hash value or hash code. This hash value is stored in the server’s database instead of the actual password.

What is Hashing?

text-to-hash

Imagine you and your friend want to communicate with each other, but don’t want anyone else to understand your talk, so you create your special top-secret signs that only you and your friend know.

Let me give you another example, In movies when one thief goes inside a house the other thief stays and watches out for any danger. If he sees someone coming he starts barking like a dog so that his partner inside knows that someone is coming.

In both the above scenarios the actual message gets converted to something else like a sign or dog bark.

In the digital world, hashing works in a similar way. When you create an account on a website, the password you choose goes through a hashing process. The website takes your password and applies a specific algorithm to convert it into a unique hash value. This hash value is then stored securely on their servers instead of your actual password.

For example, let’s say your password is “watdadogdoing69” 😂. The hashing algorithm will process this password and generate a hash like “323b0af108d37bffbea17c26c6cb8500”. ( This is md5 hash btw 🤗)

Now, whenever you log in to that website, your password is hashed again and compared to the stored hash. If the hashes match, the website knows that you entered the correct password without actually storing your original password anywhere.

It’s important to note that hashing is a one-way process, meaning you can’t retrieve the original data from the hash. This makes it ideal for password storage, as it adds an extra level of protection against potential data breaches.

Salting Your Password

While hashing makes it challenging to obtain the original password, it is not foolproof. Hackers can use precomputed tables, known as rainbow tables, to quickly find the original password from its hash. To counter this, salts are introduced. A salt is a random string of characters that is added to the password before hashing. As a result, even if two users have the same password, their hashes will be different due to the unique salt added to each password.

Peppering on TOP

In addition to salting, the concept of pepper is used to enhance password security. Pepper is like an extra layer of protection applied to the password before hashing. Unlike the salt, which is stored alongside the hashed password in the database, the pepper is kept secret and stored separately. This adds another layer of complexity for attackers trying to crack the password.

I know you didn’t get it, so I will explain you in simple terms. Just like salt which adds random values to the password before hashing it, pepper also adds values to the password. The difference between them is that salting adds unique and random characters to the password while peppering adds specific characters to the passwords.

From the above statement, you might wonder, why even bother to use pepper, salt is unique for each password use it instead. But this is not the case, why? go to the Salting VS Peppering section.

MD5 Hash Generation and Its Working

One commonly used hashing algorithm is MD5. It takes an input (in this case, your password) and produces a fixed-length hash value as output. Despite its widespread use in the past, MD5 is considered relatively weak today due to its vulnerability to collision attacks. It’s crucial to use stronger hashing algorithms, such as SHA-256, SHA-512 or Bcrypt, for enhanced security.

Hacking a Hash

Hackers employ various techniques to crack hashes and obtain the original passwords. These include brute-force attacks, dictionary attacks, and rainbow table lookups. However, by using strong hashing algorithms, unique salts, and secret peppers, the difficulty of hacking a hash is significantly increased, making it a time-consuming and resource-intensive task for attackers.

How Secure is Hashing?

hash-collision

Now you know what Hashing is, so it’s time to differentiate between different hashing algorithms. There are loads of hashing algorithms in the market and different hashing algorithms use different methods to produce a hash.

Learn How the MD5 hashing algorithm works: Creating and Breaking MD5 Hash

In this section, we will discuss the security of different hashing algorithms, like MD5, SHA-256, SHA-512, and Bcrypt. Hash functions are widely used in various applications to ensure data integrity and password storage. However, not all hash functions are equally secure.

MD5

MD5 is a widely used hash function but is considered insecure for certain applications, particularly in cryptographic contexts. MD5 is susceptible to collision attacks, where different inputs can produce the same hash output. This means that it is possible to find different inputs that result in the same MD5 hash value. Consequently, MD5 is no longer recommended for cryptographic purposes. But it is fast and due to this it is used in multiple scenarios eg. Checksums, File Authentication, Hash Tables, Digital Signatures etc.

Creating and Breaking MD5 Hash

We will see how MD5 is created and why it is not considered secure anymore. How Hackers have managed to Hack the Hashes…

SHA-256 and SHA-512

SHA-256 (part of the SHA-2 family) and SHA-512 are widely used secure hash functions. They are considered to be significantly more secure than MD5. These algorithms are designed to provide a high level of resistance against collision attacks. While it is theoretically possible to find collisions for these algorithms, the computational resources required to do so are currently beyond the reach of practical attacks.

Therefore, using SHA-256 or SHA-512 for hashing purposes is generally considered secure for most applications. These algorithms are widely used in various security protocols and cryptographic applications.

Bcrypt

Bcrypt is a specialized hash function designed specifically for password hashing. It incorporates a built-in salt and a cost factor, which makes it inherently more secure against brute-force attacks and rainbow table attacks. Bcrypt is intentionally computationally expensive, which helps to slow down the hashing process and makes it more difficult for attackers to crack passwords.

Compared to MD5, SHA-256, and SHA-512, Bcrypt is generally considered to be more secure for password hashing. However, it is important to use an appropriate cost factor to ensure that the Bcrypt hashing process is sufficiently slow to deter attackers.

In summary, while MD5 is considered insecure for cryptographic purposes, SHA-256, SHA-512, and Bcrypt are much more secure hashing algorithms. SHA-256 and SHA-512 are suitable for general-purpose hashing, while Bcrypt is recommended for password hashing due to its additional security features.

Remember, the security of your hash also depends on other factors such as the strength of your password and the overall security practices you employ in your application.

Sources:

Salting vs Peppering

From above you know what salt and pepper are and how they are used in the hashing process. Now I will explain their importance, and why both are necessary for secure credential storage.

The salt is unique for each password, which means we will have to save the salts in a database with the corresponding passwords to get the same hash. Now imagine the database got breached and the attacker got access to the hashs and the salts.

Sure I know it is still gonna take a lot of time for the attacker to crack the hash using brute force. But what if the password was not that complex? No one creates a solid password anyway because it is hard to remember.

In case of a breach, the salts might also get in possession of the attacker. To overcome this problem we could use pepper with the salts to make them extra secure because the pepper is a fixed string of characters that is not stored in the database. The pepper is instead stored somewhere else more securely like maybe in a configuration file or a secure database.

Tips to Improve Your Security

Let me give you some basic common tips that you have probably heard a dozen times before 😁.

  • Use a combination of uppercase and lowercase letters, numbers, and symbols in your passwords.
  • Avoid using easily guessable passwords, such as your name, birthdate, or common words.
  • Use unique passwords for different accounts to minimize the impact of a potential breach.
  • Consider using a password manager to securely store and generate complex passwords.

Conclusion

In conclusion, securing our passwords is crucial in the ever-expanding ocean of the internet. By implementing techniques like salting, peppering, and using strong hashing algorithms, we can significantly enhance the security of our passwords. Additionally, following best practices and regularly updating passwords can further bolster our defences against potential attacks. Remember, protecting your password is like securing a boat on an open ocean.

Leave a Reply

Your email address will not be published. Required fields are marked *