But what is password salting and why is it so critical to secure password storage?<\/p>\n\n\n\n
Let\u2019s hash it out.<\/span><\/p>\n\n\n<\/span><\/span>\n\n\n Password salting is the process of adding a random, unique integer or string to every password to prior to hashing it. A salt is a random, large, unique value that\u2019s generated using a cryptographically secure random number generator (RNG), or what\u2019s sometimes called a random bit generator<\/a> (RBG). Salts are traditionally stored on your server alongside your password hash values. <\/p>\n\n\n\n Here\u2019s an example of salts that were auto generated and added to a WordPress config.php file:<\/p>\n\n\n\n More technically speaking, the Internet Engineering Task Force (IETF) Network Working Group\u2019s Request for Comments (RFC) 4949<\/a> defines a salt as:<\/p>\n\n\n\n \u201cA data value used to vary the results of a computation in a security mechanism, so that an exposed computational result from one instance of applying the mechanism cannot be reused by an attacker in another instance.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n But what\u2019s the point of using a password salt? Password salting allows you to create a unique hash value for every password. A hash is a method of taking an input of any size and converting into a random string of gibberish of the same length. This masks the size and any identifying information about the original input and can be used for data integrity verification. This helps to secure your stored password hashes against dictionary attacks (a type of brute force attack) and rainbow table attacks should cybercriminals get their grubby hands on your database. (We\u2019ll speak more to the reasons why a little later in the article.)<\/p>\n\n\n\n Basically, the big takeaway here is that storing salted password hashes instead of plaintext passwords or unsalted password hashes is the difference between:<\/p>\n\n\n\n (Don\u2019t worry, we\u2019ll speak more to hashing in a minute or two. And, no, hashing isn\u2019t the same thing as encryption.)<\/p>\n\n\n\n The idea here is that you\u2019re enabling every individual password input to have its unique hash value by salting your passwords before hashing them. This means that their hash values will be entirely different even if you have two separate users using identical passwords (say, password123<\/em>).<\/p>\n\n\n\n Of course, you want to make sure that no one knows which salt you\u2019ve used. This is why you need to add a unique, randomly generated salt to each password before hashing it. While it\u2019s true that the salt gets stored next to your password hashes, it would be too time consuming and labor intensive to try to calculate each password using each individual salt. Taking that individual approach wouldn\u2019t be worth it to cybercriminals who are trying to crack thousands or even millions of common passwords quickly using scripts and automation. <\/p>\n\n\n\n Ideally, users should be using unique passwords or passphrases to secure their accounts. But we know that not everyone follows password security<\/a> best practices and will sometimes use common passwords. This is why it\u2019s important to salt your passwords; it prevents a hacker from simply searching your database for password hashes that match the hashes of common passwords. <\/p>\n\n\n\n Knowing this, let\u2019s explore a quick example of how an MD5 salted hash value looks using the common password password123<\/em> as an example:<\/em><\/p>\n\n\n\n Now, let\u2019s consider what happens when you apply the salt value +Oa8kFpYobjX<\/em> to the same password. It results in the following entirely unique hash value:<\/p>\n\n\n\n Without salting, two separate users would wind up having identical password hash digests. This would be bad news because it means that if a user\u2019s password gets compromised in a data breach, hackers can use that known value to check against known hash values until they find a match.<\/p>\n\n\n\n But why would two users with identical passwords wind up with the same hash digest? This is because strong hashes are deterministic in nature<\/strong>. What this means is that any given input (i.e., your plaintext password) will always return the same hash value. So, a password like password123<\/em> will always return the same hash value when using the same hash function unless you do something to change the input, even just a little bit:<\/p>\n\n\n\n But salting isn\u2019t the only way to add additional values to your passwords to increase their security. There\u2019s also a related, lesser-known cryptographic process known as peppering.<\/p>\n\n\n\n Something that\u2019s very common in cryptography \u2014 and cybersecurity in general \u2014 is that different terms are sometimes used interchangeably. This is the case with salt and pepper \u2014 while they\u2019re related, they\u2019re not the same thing and should be treated as separate elements.<\/p>\n\n\n\n Yes, a pepper is kind of like a salt in that it\u2019s a value (a large integer or string) you tack onto passwords to add another layer of security. But, unlike a salt, a pepper is a secret value that can be reused. According to the Internet Engineering Task Force (IETF), a pepper is a value that can be reused over and over again.) Furthermore, because they\u2019re intended to remain secret, peppers shouldn\u2019t be stored along with the password hashes in your database.<\/p>\n\n\n\n The IETF also says that peppers should be able to be rotated<\/a> and swapped out with alternate peppers:<\/p>\n\n\n\n \u201cIf a pepper is used, consideration should be taken to ensure that it can be easily rotated. For example, multiple peppers could be stored. New passwords and reset passwords would use the newest pepper and a hash of the pepper using a cryptographically secure hash function such as SHA256 could then be stored in the database next to the salt so that future logins can identify which pepper in the list was used.\u201d <\/em><\/p>\n<\/blockquote>\n\n\n\n IETF also warns that peppers and salts should not be combined because the salt isn\u2019t a secret value; therefore, it may appear in the final hash value output.<\/p>\n\n\n\nWhat Is Password Salting? A Password Salt Definition<\/h2>\n\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/08\/wordpress-salts-example-shadow-1024x332.png\")
\n
\n
An Example of How Salting Alters Your Password Hash Value<\/h3>\n\n\n\n
482c811da5d5b4bc6d497ffa98491e38<\/em><\/em><\/code><\/pre>\n\n\n\ne72fd887c202a4367b8a96d42d1a1e10<\/em><\/code><\/pre>\n\n\n\n\n
Password Salting vs Peppering in Cryptography<\/h3>\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/08\/saltpepper.png\")
<\/figure>\n<\/div>\n\n\n\n