Hello guys! In this article we will be discussing what is Salting.
First of all, read these articles to build a good base:
So how do you crack a hash? Using brute force, hash tables, rainbow tables etc.
One thing is similar in all these methods, you have to compare the target hash with some other hash.
But what if you don’t know the target hash? or have the wrong hash? Can you crack it in that case? Hell no!
My sad story
So I created an app which stores credit card information, passwords and other confidential information of users in my server. As I am aware about password cracking attacks, I decided to store passwords as hashes.
But after a week of the release of the app, I started getting complaints of the users that their accounts were getting compromised. I did some research and found that someone was stealing those hashes from my server and cracking them to get passwords of users. The cracker was able to crack the passwords as people are stupid as fuck as use passwords such as iloveyou, incorrect, qwerty123. Instead of telling people how to create strong passwords, I decided to oatch my side first. I started salting the hashes.
What is Salting?
Basically when you generate hashes, you just input a string and the hashing algorithm converts it into a string of fixed length.
But in salting, another string is combined with the input and then converted into a hash.The string added to the input is called a salt. For example, in the case below %L!*?a” is a salt.
Next time, when the user tries to log in, his input is again combined with the salt and converted into a hash, if the hash matches the stored hash, he gets access to the account.
Now suppose a hacker has a list of precomputed hashes i.e. a hash table which contains common passwords like this:
This password list contains our user’s password i.e. qwerty1234 but the attacker will never be able to crack it because the hash in his hash table is for qwerty1234 and not for qwerty1234%L!*?a”.
Thus salting will render all his password cracking attacks useless.
Well he doesn’t know that we are using salt or what is the value of salt.
But for example many systems store the hashes like this: sFxzApTB$404598ab893e81a6d9785d9bcee9fdd8
Where the red string is the salt, green string is the hash and $ separates them. So if the hackers finds this hash then he will also know the value of the salt.
But even if he finds the value of salt because he will need to add the salt to all the password of his word list and will have to recompute the hashes. Creating hash tables takes a lot of resources so it makes the job of the cracker harder.
Static and Dynamic Salting
If the hacker is dedicated then he will surely create a new hash table with the salt included and our users will be vulnerable again.
But there’s is fix for this case too, and that is something called Dynamic Hashing.
In static hashing we use the same salt for salting all the hashes while in dynamic hashing there are different salts.
For example, we can add the username of a user to his password as a salt, so it will become something like this:
As the username is different for all the users, the attacker will need different hash table for each user and….
Happy ending of my sad story
Now the passwords stored in my server are dynamically salted, I patched the vulnerability by which the attacker hacked into my server. I also added a feature to my app which checks if a user’s passwords is weak.
Thanks for reading. I hope you enjoyed this article.
Keep Learning! Keep Hacking!
Also Read: MD5 Buster : “Crack” MD5 hashes in 5 seconds