salting - dwilson2547/wiki_demo GitHub Wiki

Salting is a critical technique used in cryptography, especially for securely storing passwords. It adds an extra layer of protection against common attacks like rainbow tables and brute force. Let’s dive into salting in detail:

• 1. What Is Salting?
• 2. Why Use Salting?
  • A. Prevents Rainbow Table Attacks
  • B. Protects Against Brute Force Attacks
  • C. Mitigates Collisions
• 3. How Salting Works
  • Step-by-Step Process
• 4. Types of Salting
• 5. Best Practices for Salting
• 6. Example: Salting in Code (Python)
• 7. Salting vs. Peppering
• 8. Common Mistakes to Avoid
• 9. Real-World Example: Database Storage

• Salt is a random, unique value added to each password before hashing.
• The same password will produce different hashes when salted differently.
• Salts are stored alongside the hashed password in the database.

• Rainbow tables are precomputed tables of hashes for common passwords.
• Without salting, an attacker can look up a hash in a rainbow table to find the original password.
• Salting makes precomputed tables useless because each password has a unique salt.

• Even if two users have the same password, their hashed values will differ due to unique salts.
• This forces attackers to crack each password individually.

• Reduces the likelihood of two different inputs producing the same hash (collision).

1. User Creates a Password

   • Example: "mypassword".

2. System Generates a Unique Salt

   • Example: "x7Fk9L" (random string for each user).

3. Combine Password + Salt

   • Example: "mypasswordx7Fk9L".

4. Hash the Combined String

   • Use a slow hashing algorithm like bcrypt or Argon2:

     bcrypt("mypasswordx7Fk9L") → "$2a$10$N9qo8uLOickgx2ZMRZoMy..."
     

5. Store the Salt and Hash

   • Save both the salt ("x7Fk9L") and the hash ("$2a$10$N9qo8uLOickgx2ZMRZoMy...") in the database.

6. Verification During Login

   • When the user logs in, retrieve their salt from the database.
   • Combine the input password with the salt and hash it.
   • Compare the result to the stored hash.

• Use Cryptographically Secure Random Salts

  • Generate salts using secure methods (e.g., os.urandom in Python or SecureRandom in Java).

• Store Salts Securely

  • Salts don’t need to be secret, but they should be stored safely alongside hashes.

• Use Long Salts

  • A salt should be at least 16 bytes (128 bits) to ensure uniqueness.

• Combine with Slow Hashing

  • Use algorithms like bcrypt, Argon2, or PBKDF2 to slow down brute force attacks.

import os
import bcrypt

# Step 1: Generate a random salt
salt = bcrypt.gensalt()

# Step 2: Hash the password with the salt
password = b"mypassword"
hashed_password = bcrypt.hashpw(password, salt)

# Step 3: Store `salt` and `hashed_password` in the database

# Step 4: Verify a password during login
input_password = b"mypassword"
if bcrypt.checkpw(input_password, hashed_password):
    print("Password matches!")
else:
    print("Password does not match.")

• Pepper is a secret key stored separately (e.g., in an environment variable).
• Example: hash(password + salt + pepper).

• Reusing Salts: Always use a unique salt for each password.
• Short Salts: Use salts of at least 16 bytes.
• Storing Salts Insecurely: Treat salts like sensitive data.
• Using Fast Hashing Algorithms: Avoid MD5 or SHA-1 for passwords; use bcrypt or Argon2.

Would you like to explore how salting integrates with specific hashing algorithms or dive into a practical implementation in another programming language?