Friday, February 24, 2023

The importance of adding salt to hashing password


Passwords are a vital part of online security, but storing them safely is a complex task. A common technique for storing passwords is called hashing, which involves transforming the password into an irreversible, fixed-length string of characters. This means that even if an attacker gains access to the password database, they can't easily retrieve the original passwords. However, hackers can still use sophisticated methods to try to guess passwords, such as by using precomputed tables of commonly used passwords.



To make password storage more secure, it's important to use a technique called salting. Salting involves adding a random string of characters to the password before it's hashed. This makes it much more difficult for attackers to use precomputed tables to guess passwords. Let's take a closer look at how salting works.

Imagine that Alice wants to create an account on a website. She chooses a password, "password123", and the website hashes it using the SHA-256 algorithm, resulting in the hash "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8". The website stores this hash in its database, and Alice can log in with her password whenever she wants.

However, if an attacker gains access to the website's database, they can easily see Alice's hashed password. They might also have a precomputed table of common passwords and their corresponding hashes. In this case, the attacker could quickly look up Alice's hashed password in the table and find out that her password is "password123".

Now let's consider what happens when the website uses salting. When Alice creates her account, the website generates a random string of characters, called a salt. Let's say the salt is "7dh84jdd". The website then concatenates the salt and the password, resulting in "7dh84jddpassword123". This combined string is then hashed using the SHA-256 algorithm, resulting in the hash "a63cfaeb018f07c033f1d7d29956dd2dcffcd9bc9f5d96f93827e8c7fca5f5b5". The website stores this salted hash in its database, along with the salt itself.

Now, if an attacker gains access to the website's database, they can see Alice's salted hash and the salt. However, they can't use a precomputed table to guess her password, because the hash includes the random salt. They would have to use a brute-force attack to try all possible combinations of salt and password, which is much more time-consuming.

In conclusion, adding salt to password hashing is a powerful technique for improving password security. By generating a random salt and concatenating it with the password before hashing, you can make it much more difficult for attackers to guess passwords using precomputed tables. This simple but effective technique can greatly enhance the security of your website or application.

0 comments:

Post a Comment

Please leave your comment here. Làm ơn ghi rõ nguồn khi lấy thông tin từ INFO TECH.

» Có thể sử dụng các tài khoản tại Blogger-Google, LiveJournal, WordPress, TypePad, AIM, OpenID, hoặc sử dụng Tên/URL-Website [có thể bỏ trống URL], hoặc Ẩn danh để đưa ra comemnt - nhận xét, nếu muốn.

» Đặc biệt - có thể đăng trực tiếp ảnh, mp3, video [của youtube] bằng cách copy - paste rõ ràng link trực tiếp của ảnh [.jpg, .gif, .png], mp3 [.mp3], video [từ youtube.com] vào comment form.

» Ngoài ra có thể bấm vào Preview bên dưới comment form để xem trước conment đã viết, trước khi post-đăng. Tương tự, bấm vào Subscribe by email để đăng ký theo dõi comments của bài này.

» Vui lòng đăng những nhận xét lịch sự và cố gắng gõ tiếng Việt có dấu, đúng chính tả nếu có thể. Rất vui vì những comment thiện ý, thanks!

Latest Posts

Label tag

Page copy protected against web site content infringement by Copyscape
 
About Me
Info Tech provies IT tips, Applications, Blogger, Blog, Adsense ... Use Firefox to open this site!