Question

Many programs when saving passwords at rest add salt. When a person creates a password, a random salt is also generated. The computer adds the salt and calculates the hash H(salt || password), and stores both, typically by concatenation as salt || H(salt, password). Explain how this process can be utilized for authentication. What is the overall good of salting?

Answer 1

Salting essentially adds a cryptographically strong random value to the input of hash functions to make the passwords more secure by creating unique and random hashes. This is important because it creates unique hashes even for passwords that are same. The random salt is either prepended or appended to the password set by the user. Salt for two same passwords can be different so that ultimately the hashes for these two password are unique.

For authentication, the salt, username and the hash that was generated after salting for the particular password are stored together. As a user tries to log in with his password, salt is added to the password, thus hash is created and this computed hash is verified by comparing it to the existing hash stored in the database. If the hash matches the user is provided access otherwise denied.

Salting is very important especilly for security reasons because it makes it hard for any attacker to breach in and retrieve passwords and thus getting access to the accounts. A simple scenario can explain how salting helps. Suppose there is a site that provides suggestions for exotic travel locations for your upcoming vacation. You create an account on the site and choose a password that matches the kind of content the site provides and to remember it afterwards you choose words that you can recall later. So you choose wanderlust as your password. Now keeping such a password can be problematic because it can easily be guessed. But there is another problem. A second user creating an account on the site can also use the same password because of how common it is. So even after hashing the hash created will be same and if an attacker breaches , he will know the users with the same passwords. This is where salting comes in. By using a unique random cryptographically strong value as a salt and adding it to the password and then applying the hash function the hash generated will be different even for the same passwords and thus the attacker won't know which users have the same password. Thus the attacker, now, will have to individually crack the passwords for each user and that would create a lot of inconvenience and consume time. This will also give the site, time to take the control back and ultimately less passwords will be compromised.