Menu
I just learned the concept of hashing ("Hey! don't forget the salt!") and using salt to make the password secured.
Hashing it is a one way encryption (actually not encryption but hashing) so it cannot be reversed engineered. Salting is prefixing or appending randomly created values to the password before hashing 'coz the problem in hashing (just hashing) is, some genius has provided a hash table of words from the dictionary so that they'll just compare the hash from that dictionary to the user's table from the database to login - W-wait? did I say table from the database? So it means somebody can access the database so we have to use salt? If that so, then why would the hacker recover the password if he already has access to the database? If I were him, I'll just get all the details I want from the database, why would I use the key I've stolen from a house to open the door if I can access the house already through the window?
So, why hash? why salt? I don't understand. Please, somebody help me.
Thanks in advance.
Important Note: I'm not against hashing or salting, I just want to clarify things.
697
Salting the hash is crucial because it ensures that the encryption process results in a different hash value, even when two passwords are the same. If salt is not added to the hash, then an attacker can make certain conclusions.
What is salting? Salting is the process of adding a unique value to the end of a password before hashing takes place. Salting the hash is crucial because it ensures that the encryption process results in a different hash value, even when two passwords are the same. If salt is not added to the hash, then an attacker can make certain conclusions.
However, the combination of a salt and a password may lead to the same "string" or hash in the end and the hash will be exactly the same, so make sure to use a combination of salt and password where two different combination won't lead to the same hash.
By salting the hash, you protect password lists against brute force attacks. A brute force attack is a technique where a cybercriminal uses a computer or several computers (botnet) to attempt every possible combination of numbers and letters until a password is found.
If that so, then why would the hacker recover the password if he already has access to the database?
Reasons are many. Here are a few:
People reuse their passwords, so not leaking everybodys real passwords does limit the impact of such attack.
Without the real passwords, the hacker will still not be able to log in and, say, post new entries on the hacked system.
Who says all information is stored in the database? What if the database solely consisted of the user name and hashed/salted passwords? Then, knowing the content doesn't help much.
147
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
