Question

In: Computer Science

Many programs when saving passwords at rest add salt. When a person creates a password, a...

Many programs when saving passwords at rest add salt. When a person creates a password, a random salt is also generated. The computer adds the salt and calculates the hash H(salt || password), and stores both, typically by concatenation as salt || H(salt, password). Explain how this process can be utilized for authentication. What is the overall good of salting?

Solutions

Expert Solution

Salting essentially adds a cryptographically strong random value to the input of hash functions to make the passwords more secure by creating unique and random hashes. This is important because it creates unique hashes even for passwords that are same. The random salt is either prepended or appended to the password set by the user. Salt for two same passwords can be different so that ultimately the hashes for these two password are unique.

For authentication, the salt, username and the hash that was generated after salting for the particular password are stored together. As a user tries to log in with his password, salt is added to the password, thus hash is created and this computed hash is verified by comparing it to the existing hash stored in the database. If the hash matches the user is provided access otherwise denied.

Salting is very important especilly for security reasons because it makes it hard for any attacker to breach in and retrieve passwords and thus getting access to the accounts. A simple scenario can explain how salting helps. Suppose there is a site that provides suggestions for exotic travel locations for your upcoming vacation. You create an account on the site and choose a password that matches the kind of content the site provides and to remember it afterwards you choose words that you can recall later. So you choose wanderlust as your password. Now keeping such a password can be problematic because it can easily be guessed. But there is another problem. A second user creating an account on the site can also use the same password because of how common it is. So even after hashing the hash created will be same and if an attacker breaches , he will know the users with the same passwords. This is where salting comes in. By using a unique random cryptographically strong value as a salt and adding it to the password and then applying the hash function the hash generated will be different even for the same passwords and thus the attacker won't know which users have the same password. Thus the attacker, now, will have to individually crack the passwords for each user and that would create a lot of inconvenience and consume time. This will also give the site, time to take the control back and ultimately less passwords will be compromised.


Related Solutions

4.15 LAB: Password modifier Many user-created passwords are simple and easy to guess. Write a program...
4.15 LAB: Password modifier Many user-created passwords are simple and easy to guess. Write a program that takes a simple password and makes it stronger by replacing characters using the key below, and by appending "q*s" to the end of the input string
You need to create a four-digit password using 0-9. How many passwords are possible, without repeating...
You need to create a four-digit password using 0-9. How many passwords are possible, without repeating a number, if a password must not start with a 0?
when you add sodium bicarbonate (a salt ) to couple Carbonic acid reaction , those the...
when you add sodium bicarbonate (a salt ) to couple Carbonic acid reaction , those the pH change ?
Many people assume that when employers economize on safety programs the money they save improves profits,...
Many people assume that when employers economize on safety programs the money they save improves profits, but that’s not the case. For one thing, poor safety practices raise wage rates, because wage rates are higher on jobs with riskier working conditions, other things equal. And poor safety and the injuries and illnesses it begets actually drive up costs, including medical expenses, workers’ compensation, and lost productivity. Consider the evidence. One study found a 9.4% drop in injury claims and a...
how many HIS 3 and URA 3 enzymes are needed when we add 10 mM 3-amino-1,2,4-triazole...
how many HIS 3 and URA 3 enzymes are needed when we add 10 mM 3-amino-1,2,4-triazole (3 AT) to the growth medium as a competitive inhibitor of HIS3?
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT