Hacking Tutorials

Salting And Salted Hashes Explained

Hello guys! In this article we will be discussing what is Salting.
First of all, read these articles to build a good base:

  1. Hash : Explained For Beginners
  2. Basic Principles Of Password & Hash Cracking

So how do you crack a hash? Using brute force, hash tables, rainbow tables etc.
One thing is similar in all these methods, you have to compare the target hash with some other hash.
But what if you don’t know the target hash? or have the wrong hash? Can you crack it in that case? Hell no!

My sad story

So I created an app which stores credit card information, passwords and other confidential information of users in my server. As I am aware about password cracking attacks, I decided to store passwords as hashes.
But after a week of the release of the app, I started getting complaints of the users that their accounts were getting compromised. I did some research and found that someone was stealing those hashes from my server and cracking them to get passwords of users. The cracker was able to crack the passwords as people are stupid as fuck as use passwords such as iloveyou, incorrect, qwerty123. Instead of telling people how to create strong passwords, I decided to oatch my side first. I started salting the hashes.

What is Salting?

Basically when you generate hashes, you just input a string and the hashing algorithm converts it into a string of fixed length.

crack salted passwordsBut in salting, another string is combined with the input and then converted into a hash.The string added to the input is called a salt. For example, in the case below %L!*?a” is a salt.

salting explainedNext time, when the user tries to log in, his input is again combined with the salt and converted into a hash, if the hash matches the stored hash, he gets access to the account.

Now suppose a hacker has a list of precomputed hashes i.e. a hash table which contains common passwords like this:

String Hash
iloveyou f25a2fc72690b780b2a14e140ef6a9e0
incorrect 6119442a08276dbb22e918c3d85c1c6e
12345678 25d55ad283aa400af464c76d713c07ad
qwerty1234 58b4e38f66bcdb546380845d6af27187
password 5f4dcc3b5aa765d61d8327deb882cf99

This password list contains our user’s password i.e. qwerty1234 but the attacker will never be able to crack it because the hash in his hash table is for qwerty1234 and not for qwerty1234%L!*?a”.
Thus salting will render all his password cracking attacks useless.
Well he doesn’t know that we are using salt or what is the value of salt.

But for example many systems store the hashes like this: sFxzApTB$404598ab893e81a6d9785d9bcee9fdd8

Where the red string is the salt, green string is the hash and $ separates them. So if the hackers finds this hash then he will also know the value of the salt.
But even if he finds the value of salt because he will need to add the salt to all the password of his word list and will have to recompute the hashes. Creating hash tables takes a lot of resources so it makes the job of the cracker harder.

Static and Dynamic Salting

If the hacker is dedicated then he will surely create a new hash table with the salt included and our users will be vulnerable again.
But there’s is fix for this case too, and that is something called Dynamic Hashing.
In static hashing we use the same salt for salting all the hashes while in dynamic hashing there are different salts.
For example, we can add the username of a user to his password as a salt, so it will become something like this:
As the username is different for all the users, the attacker will need different hash table for each user and….hash cracking meme

Happy ending of my sad story

Now the passwords stored in my server are dynamically salted, I patched the vulnerability by which the attacker hacked into my server. I also added a feature to my app which checks if a user’s passwords is weak.

Thanks for reading. I hope you enjoyed this article.

Keep Learning! Keep Hacking!

Also Read: MD5 Buster : “Crack” MD5 hashes in 5 seconds

Browse Categories:

Subscribe Now

Get the latest post directly into your inbox.

Thank you for subscribing.

Something went wrong.