Passwords are a crucial part of user authentication and are used to protect sensitive information. When a user creates a password, it is hashed and stored on a server to prevent the possibility of malicious actors revealing the password in case of a server breach or data leak. Password hashing is done using hashing algorithms such as SHA-256, SHA-512, bcrypt, PBKDF2, and others.
Hashing is the process of converting the password into a fixed-length string of characters using a mathematical function. The hash is then stored on the server’s database, along with the user’s username or email.
A hash is the result of applying a hashing algorithm to a password. Hashes are irreversible, meaning that the original password cannot be obtained from the hash. To check a password during login, the server hashes the password entered by the user and compares it to the saved password hash.
To protect passwords from dictionary or brute-force attacks, a salt is used – an additional random string that is added to the password before hashing. Using a salt complicates password cracking, even if an attacker has access to password hashes on the server.
Below are examples of passwords and hashes with and without salt, using various hashing algorithms:
Password: password123
SHA-256 (without salt):
5f4dcc3b5aa765d61d8327deb882cf99e1b1b24760caea4198ea5d5a7e0c4ea9
SHA-256 (with salt: d5e5f7c5):
6328f244b7474a22d2b98fb6b4a4c17d6e30305d64e3c2c8e0d57dbd90f6a24a
Password: qwerty123
SHA-256 (without salt):
b4763cc3b90019c833fcd68633dcf2ea9eaa9f40c83a121a94d1ec71ddaf65d8
SHA-256 (with salt: ac9fdd1c):
a438f29217d2e76a9eeb9f317958c61786b5811d1ecf50e02fa8c19237dade17
In addition, using a salt helps to solve the problem of collisions.
A collision is a situation where two different passwords result in the same hash. This can occur when a hash function is used for a large number of passwords. With the use of a salt, even if two users have the same password, their hashes will differ, making dictionary attacks more difficult.
The table below shows examples of passwords with different hashes with and without a salt:
Password: password123
SHA-256 (with salt value #1: d5e5f7c5):
6328f244b7474a22d2b98fb6b4a4c17d6e30305d64e3c2c8e0d57dbd90f6a24a
SHA-256 (with salt value #2: 4d8e0db4):
4c4f2e1341a7c09d089b7020fdcc73a831fe9ba02cfb8f1e78ebfd95aeebcaa
As seen in the table, the use of a salt results in different hashes for identical passwords. In addition, with the use of a salt, even simple passwords can be secure.
Understanding the password authentication process with hashing
When a user tries to log in, they enter their password, and the server retrieves the hashed password from the database. The server then hashes the password the user entered and compares it to the hashed password on the database. If the two hashes match, the user is authenticated, and they are granted access to the system.
To enhance security, servers often use additional measures to protect passwords, such as salting and key stretching. Salting involves adding a random string of characters to the password before hashing, making it more challenging for attackers to crack the password. Key stretching involves slowing down the hash function, making it take longer to hash the password, which makes it more difficult for attackers to guess the password.
It’s essential to store passwords securely on the server, as a compromised password database can lead to a data breach. Therefore, servers often use encryption to protect password databases from unauthorized access. For example, databases may be encrypted using a master key or a separate key for each user’s password.
In summary, when a user creates a password, it is hashed and stored on a server’s database. When the user tries to log in, the server retrieves the hashed password and compares it to the password entered by the user. To enhance security, servers may use additional measures such as salting and key stretching, and databases may be encrypted to protect against unauthorized access.
In conclusion, password hashing with salt is a fundamental method for securely storing passwords on servers. It protects against attacks such as brute-force, dictionary, and rainbow table attacks, by making it more difficult for attackers to precompute the hashes of common passwords or lookup the hashes in precomputed tables. By adding a unique salt to each password, even if two users have the same password, their hashes will be different, providing an additional layer of security.
However, it’s important to note that password hashing with salt is not the only method for securing passwords, and modern authentication systems may incorporate additional security measures such as two-factor authentication and biometric data. Overall, understanding the importance of password hashing with salt can help developers and system administrators ensure the security of their users’ sensitive information.
