On Valentine’s Day, we're reminded that often life's little (or sometimes not so little) struggles can be less difficult to cope with if we have someone with us to help us through them. Someone who works alongside us, has our back and who just seems to compliment us perfectly.
And it's with this in mind today that we're going to look at a couple called hashing and salting. And we'll see that when life gets tough for one, the other is right there to lift them up.
Password security
In general, passwords are stored on servers. When we enter our passwords into websites there needs to be something on the other side that the site can check with and say "Yes, what you have entered matches what I have stored here" or "Sorry, that does not match what I have stored here".
If the site has nothing to check against, it has no way of knowing if what you've entered is correct or not.
You can think of this as being like having your details checked by the concierge at that romantic restaurant you booked. If your details don’t match what they have they won’t let you sit down and eat.
Now, without hashing, those passwords would be stored in plain text. This is a huge problem. If the database containing those passwords is compromised and the plain text passwords leaked, they can be used just as they are to access the site.
This would be like someone leaning over the desk when the concierge is not looking and seeing all the details, and pretending they are a person on the list to get in.
So, to address this problem we use something called hashing.
What is hashing?
When you create a password on a website that uses hashing, the text you enter is converted using an algorithm into something completely different. We call this action ‘hashing’.
For simplicities sake, let's say you've chosen 'password123' as your password (but in reality, simplicity is never good when it comes to passwords, so please don’t use ‘password123’!).
A hashing algorithm will convert 'password123' into what looks like a long string of random text and numbers (although they are, of course, not random). We call this string the hash.
String | password123
|
Hash | EF92B778BAFE771E89245B89ECBC08A44A4E166C06659911881F383D4473E94F |
Now, this string of text and numbers, rather than 'password123', is what the sites stores as your password. So, every time you type 'password123' in the password field to access the site, it performs the hashing function on what you entered and then compares your hash with what it has stored, and if they match access is granted. Imagine our tech savvy concierge now stores reservation details by encoding the list, this prevents simple attacks such as looking over the desk.
Password | password123 |
Stored Hash | EF92B778BAFE771E89245B89ECBC08A44A4E166C06659911881F383D4473E94F
|
Password Entered | Resulting Hash | Match? |
qwerty | 65E84BE33532FB784C48129675F9EFF3A682B27168C0EA744B2CF58EE02337C5 | ❌ |
passwordABC | EAA0F9A2A51706D01E8D18535B610653956EA2EB57060651FC32488CDE419011
| ❌ |
ilovecats | 81A103D766DE77D8A2224FBAB8294CC9E956C8224B30041C668CC98C205B8B82
| ❌ |
password123
| EF92B778BAFE771E89245B89ECBC08A44A4E166C06659911881F383D4473E94F | ✅ |
So why do we do this?
We all know that, sadly, breaches happen. Servers are maliciously hacked, or password databases may accidently be left open to the internet as result of misconfigured tools or servers.
However, if a site is hacked and the passwords are stolen all the hackers will have is the hashed version of the password. If they were to try to access an account using that hash in the password field, the hash itself would be encoded and the result of that would not match the stored hash and therefore access would be denied.
Why hashing needs salt
As we've seen, hashing is a great first step.
For a given algorithm, 'password123' will always produce the same hash. What this means is, once a hacker knows the hash value for 'password123' and, let's say, the top 1000 most common passwords, they now have a dictionary of hashes and their respective plain text passwords.
So, the previously useless hashes that were stolen from the website can be looked up in the hacker's new dictionary revealing the plain text password. This can then be used to access the site.
Enter Search |
EF92B778BAFE771E89245B89ECBC08A44A4E166C06659911881F383D4473E94F |
Hash | Password |
65E84BE33532FB784C48129675F9EFF3A682B27168C0EA744B2CF58EE02337C5 | qwerty |
EAA0F9A2A51706D01E8D18535B610653956EA2EB57060651FC32488CDE419011 | passwordABC |
EF92B778BAFE771E89245B89ECBC08A44A4E166C06659911881F383D4473E94F | password123 |
81A103D766DE77D8A2224FBAB8294CC9E956C8224B30041C668CC98C205B8B82 | ilovecats |
I mentioned a dictionary of 1000 most common passwords, but in practice, attackers will have various dictionaries containing millions of password/hashes.
This leads us on to salting.
What is salting?
At this point, hashing alone is far too easy an obstacle for hackers to overcome. It needs something adding to it. And just like in cooking, this comes in the form of salting.
We know that common passwords are far too widely used, and this makes generating a hash/plain text dictionary easy.
What if we make the password more complex regardless of what the end-user inputs?
Well, that's what salting does.
For better or worse the end-user has chosen 'password123' for their password. So, before it's hashed, a random string of text is added to it, and it becomes 'password123rkjsdfo47kbfs2'. The salt can be added to the beginning or the end of the password.
Password
| Salt
| Combination
|
password123 | rkjsdfo47kbfs2 | rkjsdfo47kbfs2password123 |
password123 | rkjsdfo47kbfs2
| password123rkjsdfo47kbfs2 |
An attacker will definitely have the hash of 'password123' in their dictionary, however they are far less likely to have the hash of 'password123rkjsdfo47kbfs2'.
The salt should be different for every password created. That way, if two people happen to have the same password, the added salt would still result in the two passwords having unique hashes.
Password Entered | Resulting Hash | Match? |
qwerty | 65E84BE33532FB784C48129675F9EFF3A682B27168C0EA744B2CF58EE02337C5 | ❌ |
passwordABC | EAA0F9A2A51706D01E8D18535B610653956EA2EB57060651FC32488CDE419011
| ❌ |
ilovecats | 81A103D766DE77D8A2224FBAB8294CC9E956C8224B30041C668CC98C205B8B82
| ❌ |
password123
| EF92B778BAFE771E89245B89ECBC08A44A4E166C06659911881F383D4473E94F | ✅ |
This also will prevent an attacker knowing that the same password has been used multiple times as every hash will be different.
It is very important to understand that the salting and hashing only protects the password if it is stolen from the site, it does not improve a bad password! If attackers input your email/username and guessed the password (whether manually or using a password-cracking dictionary), they would get access to your account. A strong password is needed to protect your account from being compromised, salting and hashing protects how it is stored by the site. For more information on how creating a strong password see our guidance here and our blog post here.
One final thought
While individually hashing or salting cannot accomplish the task of securing our passwords, together, working hand in hand, they become more than the sum of their parts and are able to rise to the challenge.
So, as well as password security, what else can we learn from hashing and salting this Valentine’s Day?
You don't need to go through life alone. The one who sticks by you, helps you out, builds you up may be a romantic partner, but not necessarily. We can all benefit from someone being there for us whether that's a partner, friend, family member, pet, community member or colleague.
Often, just like salting and hashing, we work better together.