Meaning of salting passwords for your accounts
Salting passwords is a process of adding random data sequences to passwords. It guarantees unique output for identical passwords and protects against different attacks. Its usual length differs but is usually between 32 to more characters.
However, salting rarely works alone: hashing joins it to make the protection more robust. Thus, hashing and salting passwords are popular techniques companies adopt for storing users’ passwords safely.
What does salting passwords mean?
Salting passwords refers to the addition of salt, as in enhancing the flavor of the password submitted by users. This sequence of bits can get built on the cleartext password, usually before hashing.
For instance, a password like 1234567890 could become 1234567890^5dHd%f#1hfg4$T6FRY&3dfgbc433 after salting.
So, a ^5dHd%f#1hfg4$T6FRY&3dfgbc433 suffix ends up glued to your password to strengthen its resistibility against hacks.
Salting passwords also guarantees that passwords set by multiple users hash to different values. Furthermore, it can mitigate a rainbow or dictionary attack.
So, correctly hashing and salting passwords can protect users’ credentials from exploitation after data breaches.
How does password salting work?
Salting passwords is an intricate procedure, often paired with hashing. Let’s see how this combination works with these steps:
- You take a password in plaintext and hash it by running data through multiple mathematical functions.
- You get a hash of the password, but it is not enough. While it is impossible to reverse hashes, attackers could compute and use hashes in dictionary attacks.
- Salting takes the hashed password and adds a random string to it. Then, the salted and hashed password should get hashed again.
- It is also possible for passwords to get salted before hashing.
- On its own, salting passwords would only add a random sequence to passwords. However, hashing and salting represent a much more secure way to store passwords or other data.
What are the differences between hashed, salted, and encrypted passwords?
Hashing and salting passwords represent a more resilient way to store passwords. In general, this combination makes passwords more unique and complex. Moreover, no additional security requirements fall on users’ shoulders.
Nevertheless, salting passwords is not the only option for protecting credentials.
- Encryption means that information gets scrambled into an unreadable format. It is two-way cryptography, meaning encryption is not final and can be undone. The only way to reverse it is to use an authorized key for decryption.
- Peppering resembles salting passwords as it intends to change the flavor of the password. It also adds a random sequence of data to passwords. However, services do not store it in databases as with salt. Generally, password salting is a more common approach.
- Hashing refers to converting data into a sequence of characters known as a hash. It is a one-way procedure, meaning there is no way to reverse the transformation. The only way to revert data to plaintext is by comparing hashes.
Do services still store passwords in plaintext?
Modern digital services use hashing, salting, or encryption to protect users’ information. However, none might be present in some cases, likely due to faulty development decisions. For instance, deciding to store passwords in plaintext could relate to easy password recovery.
Instead, services should opt for password recovery through emails containing links to randomly generated tokens. That URL takes users to a site that authenticates their identities and lets them create new passwords.
Luckily, most digital services have already adopted this more security-focused approach.
Incidents involving unsalted passwords
In 2021, a car maintenance company named XADO had its customers’ data leaked. Sadly, the service hashed but skipped salting passwords. The chosen hashing technique (MD5) was also on the weaker side. Therefore, experts predicted that numerous brute force attacks would follow the incident.
Another breach involved a Minecraft community called Lifeboat in 2016. It suffered a leak of 7 million unsalted MD5 passwords. In 2021, Thingiverse also experienced a similar breach, exposing 228,000 physical addresses, names, email addresses, and unsalted hashed passwords.
Sadly, it is not always sure how digital services store passwords. Lack of hashing/encryption/salting passwords or faulty implementation can trigger a wave of brute force attacks.
How can you protect passwords and accounts?
Hashing and salting passwords are one of the cybersecurity standards users hope that services uphold. Nevertheless, never trust a provider fully, especially since many might still use weaker hash functions or skip salting.
While you cannot guarantee that service providers follow industry-standard practices, you can protect accounts manually.
- Set complicated passwords that can resist dictionary attacks. The best option for strong credentials is avoiding words and choosing random sequences.
- Enable two-factor authentication or other additional security settings. 2FA can protect your account even if passwords leak. Additionally, some services still include security questions as a way of authenticating logins.
- Never use the same password multiple times. If hashing and salting passwords fail, your credentials could get leaked in plaintext. Therefore, brute force attacks on your other accounts can follow.
- If the password leaks, change it immediately. If you have used it multiple times, change it for every account.
- Store account credentials in password managers. Such tools simplify the management of multiple unique passwords.