Hacking Tutorials

Salting And Salted Hashes Explained

Hello guys! In this article we will be discussing what is Salting.
First of all, read these articles to build a good base:

  1. Hash : Explained For Beginners
  2. Basic Principles Of Password & Hash Cracking

So how do you crack a hash? Using brute force, hash tables, rainbow tables etc.
One thing is similar in all these methods, you have to compare the target hash with some other hash.
But what if you don’t know the target hash? or have the wrong hash? Can you crack it in that case? Hell no!

My sad story

So I created an app which stores credit card information, passwords and other confidential information of users in my server. As I am aware about password cracking attacks, I decided to store passwords as hashes.
But after a week of the release of the app, I started getting complaints of the users that their accounts were getting compromised. I did some research and found that someone was stealing those hashes from my server and cracking them to get passwords of users. The cracker was able to crack the passwords as people are stupid as fuck as use passwords such as iloveyou, incorrect, qwerty123. Instead of telling people how to create strong passwords, I decided to oatch my side first. I started salting the hashes.

What is Salting?

Basically when you generate hashes, you just input a string and the hashing algorithm converts it into a string of fixed length.

crack salted passwordsBut in salting, another string is combined with the input and then converted into a hash.The string added to the input is called a salt. For example, in the case below %L!*?a” is a salt.

salting explainedNext time, when the user tries to log in, his input is again combined with the salt and converted into a hash, if the hash matches the stored hash, he gets access to the account.

Now suppose a hacker has a list of precomputed hashes i.e. a hash table which contains common passwords like this:

StringHash
iloveyouf25a2fc72690b780b2a14e140ef6a9e0
incorrect6119442a08276dbb22e918c3d85c1c6e
1234567825d55ad283aa400af464c76d713c07ad
qwerty123458b4e38f66bcdb546380845d6af27187
password5f4dcc3b5aa765d61d8327deb882cf99

This password list contains our user’s password i.e. qwerty1234 but the attacker will never be able to crack it because the hash in his hash table is for qwerty1234 and not for qwerty1234%L!*?a”.
Thus salting will render all his password cracking attacks useless.
Well he doesn’t know that we are using salt or what is the value of salt.

But for example many systems store the hashes like this: sFxzApTB$404598ab893e81a6d9785d9bcee9fdd8

Where the red string is the salt, green string is the hash and $ separates them. So if the hackers finds this hash then he will also know the value of the salt.
But even if he finds the value of salt because he will need to add the salt to all the password of his word list and will have to recompute the hashes. Creating hash tables takes a lot of resources so it makes the job of the cracker harder.

Static and Dynamic Salting

If the hacker is dedicated then he will surely create a new hash table with the salt included and our users will be vulnerable again.
But there’s is fix for this case too, and that is something called Dynamic Hashing.
In static hashing we use the same salt for salting all the hashes while in dynamic hashing there are different salts.
For example, we can add the username of a user to his password as a salt, so it will become something like this:
bob69_qwerty1234
As the username is different for all the users, the attacker will need different hash table for each user and….hash cracking meme

Happy ending of my sad story

Now the passwords stored in my server are dynamically salted, I patched the vulnerability by which the attacker hacked into my server. I also added a feature to my app which checks if a user’s passwords is weak.

Thanks for reading. I hope you enjoyed this article.

Keep Learning! Keep Hacking!

Also Read: MD5 Buster : “Crack” MD5 hashes in 5 seconds


About the author

D3V

I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.

3 Comments

Click here to post a comment

  • YOUR COMMENTS — “I started getting complaints of the users that their accounts were getting compromised.” and …..”The cracker was able to crack the passwords as people are stupid as fuck as use passwords such as iloveyou, incorrect, qwerty123.”

    MY COMMENTS — Sure, blame the User for being stupid. You really need to carefully rethink who actually hold the responsibility in this scenario. For these Users, more complex passwords might have helped them by increasing the effort…but only if the parameters associated with those passwords would allow for enough length and complex characters— 8 complex characters can be easily bruted or just looked up. 12 characters is better, etc. but nothing is impossible in this scenario. It was you, not the User that was most technically responsible for this breach in the first place. User had an expectation that you knew what you were doing— they had two choices (or less). Input a password and hope, or not use your system at all. It sounds like you came around to a more sound technical solution—

    BUT, for you to blame the USER and say “people are stupid as fuck” is absolutely unfair. Perhaps you need a mirror to look in because you said it yourself, “I am n00b”

    As a security professional I can tell you that the SECURITY PROFESSIONAL holds the responsibility for the TECHNOLOGY, not the User. The USER’s responsibility is based on HOPE that they won’t do something dumb, but the reality is, people do dumb things….embrace it, but sure as hell don’t blame people for being human and doing exactly what you expect them to do.

    • I appreciate your views and yes I am saying that humans are stupid.
      In this case the users were stupid but I was stupid as well because it was my stupidity to store passwords without salt or leaving a vulnerability in my server that could attackers gain access to the server.
      And I did whatever any developer would do.
      I patched my server and started using salts.
      Thanks for your opinion.
      I understand what are you trying to say but come on I was just trying to build up a story to explain the impact of salts on security of hashes.

  • Qwrrty1234 is wrong and stupid fuck user. Credit cards and passwords on server is big time but cool that people trust you that way. I hate people who steal passwords and cards then hack other peoples stuff. this happened to my uncle and he lost his job when boss found out he bought tires for his truck from church. he is fat with diabeetis so foot got cut off cause he eats so much butter and drinks vodka and mountain dew. he hit my brother with keyboard because he was watching youtube girls with guns. my uncle is still nice when we still take bath but i dont like to touch his stump foot. why cant people be good and not do bad things? I liked password fix you made and it easy to understand how dynamic salt works. I told my brother at breakfast when my unlce wasnt listening how good hashing salt works. if he’s going to watch internet girls he needs to hash his keyboard and passwords and use good ones that have ! of $ and lots of numbers. My best password is 1m4k00l4g4m3r! No one has guessed it cause it is long with numbers 4 letters. You give good advice to use hash salt on my keyboard and i won’t tell my uncle about your webpage or about hash so he wont hit my brother. my brother eye still hurts and cant see far but cut is better. I want to be b4d4ssH4k3r like you and not stupid fuck user who eats butter

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.

Categories

>-----ADVERTISEMENT-----<