What is password salting?

Adding random data to passwords before hashing, also known as password salting, is a security measure for storing passwords. This technique frustrates typical password attacks and makes it more difficult for attackers attempting to compromise user accounts.

Understanding password salting

Password salting is a technique used in cryptography and computer security to enhance the security of stored passwords. When a user creates an account or updates their password, the system generates a random string of data called a "salt." Using a cryptographic hashing algorithm, this salt is combined with the user's password before being hashed (transformed into a fixed-length string of characters). 

The purpose of salting passwords is to defend against various attacks, including rainbow table attacks and dictionary attacks. Salting prevents rainbow table attacks by adding unique data to each password before hashing, ensuring that even if two users have the same password, their hashed values will be different due to the unique salts.

Furthermore, salting prevents attackers from identifying identical passwords across multiple accounts, as each account's password is salted differently. This complicates the process for attackers trying to crack passwords, significantly increasing the time and computational resources required to brute-force passwords.

Read more: What is a brute-force attack?

How does password salting work?

Password salting works by adding "salt" to a user's password before it is hashed. Here's how password salting works:

1. User registration or password update: When a user creates a new account or updates their password, the system generates a unique salt for that specific user.
2. Combining salt with password: The system then takes the user's password and combines it with the generated salt. This creates a longer input string that includes both the original password and the salt.
3. Hashing: The combined string (password + salt) is then passed through a cryptographic hash function. This function converts the input string into a fixed-length string of characters that represents the hash value. 
4. Storage: The hashed password, along with the salt, is stored in the system's database. Both the hashed password and the salt are associated with the user's account.
5. Authentication: When the user attempts to log in, they provide their password. The system retrieves the corresponding salt for that user from the database.

Types of password salting

There are primarily two types of password salting techniques commonly used in practice:

• Static salt: In this approach, a single, fixed salt value is used for all passwords stored in the system. This salt remains constant for all users and does not change over time. While using a static salt is better than not salting passwords at all, it has some drawbacks. If an attacker gains access to the salt value, they can create rainbow tables or dictionary attacks specific to that salt, compromising all passwords in the system. 
• Dynamic salt: In dynamic salting, a unique salt is generated for each user when they create an account or update their password. This salt is then securely stored alongside the user's hashed password in the database. Because each user has a unique salt, even users with the same password will have different hashed values stored in the database. This prevents attackers from using precomputed tables effectively and significantly increases the computational effort required to crack passwords. Dynamic salting is considered more secure than static salting because it provides individual protection for each user's password.

Additionally, within these types, there are variations in how salts are implemented, such as the length of the salt, the method of generating the salt (e.g., using cryptographic random number generators), and how the salt is combined with the password before hashing. 

These variations depend on factors such as the specific cryptographic hashing algorithm used and the security requirements of the system. Regardless of the type or implementation, the primary goal of password salting is to enhance the security of stored passwords by making them more resistant to various cryptographic attacks.

See also: HIPAA Compliant Email: The Definitive Guide

Password salting tips and best practices 

• Use cryptographically secure random number generators (CSPRNGs): Ensure that the method used to generate salts produces high-quality random data. CSPRNGs should be used to generate unpredictable and statistically indistinguishable salt values.
• Generate unique salts for each user: Assign a unique salt to each user when they create an account or update their password. 
• Store salts securely: Salts should be securely stored alongside the hashed passwords in the database. Ensure that access controls and encryption are in place to protect the salts from unauthorized access or disclosure.
• Use sufficiently long salts: Salts should be long enough to provide effective protection against cryptographic attacks. A common recommendation is to use salts of at least 16 bytes (128 bits) in length.
• Combine salts with passwords before hashing: Combine the salt with the user's password before applying the cryptographic hashing function to ensure that the salt is effectively incorporated into the hashing process.
• Choose strong hashing algorithms: Use well-established cryptographic hashing algorithms, such as SHA-256, bcrypt, or Argon2, for password hashing. These algorithms are designed to resist various cryptographic attacks and are recommended for secure password storage.
• Consider iterative hashing: In addition to salting, consider using techniques like key stretching or iterative hashing to further increase the computational cost of password cracking attempts.
• Regularly review and update security practices: Stay informed about the latest developments in cryptography and security best practices. Regularly review and update your organization's password storage practices to adapt to emerging threats and vulnerabilities.
• Implement multifactor authentication (MFA): Consider implementing MFA in addition to password salting to provide an extra layer of security for user accounts.
• Educate users about password security: Educate users about the importance of choosing strong, unique passwords and encourage them to follow password security best practices, such as avoiding password reuse and using password managers.

FAQ’s

Is it possible to crack a salted password?

To crack a salted password, the attacker should know both the hash and salt values. This makes it harder to crack hashes.

How are salted passwords stored?

The salt and the password (or its version after key stretching) are concatenated and fed to a cryptographic hash function, and the output hash value is then stored with the salt in a database.