We’ve had our partners laughing at us … we have our heads down discussing internet security: ”Salt and pepper? You want chips with that, love?”. But the simple fact is Salting and Peppering are important when considering password security.
So What’s the Problem With Hashing?
Most passwords are stored using a hashing process. Hashing is the process of converting a known string into another using an irreversible process. The original password is only stored as a hash. This means that the password is never ‘written down’ anywhere on the server.
Hashes tend to be long, obscure and difficult to remember. For example, using the old (insecure) SHA1 hashing algorithm, the password “apple123” creates the hash:
ec1e7fb8656dba32737acabc2e5a1fb2d02a973f
This is good because, the SHA1 algorithm always produces that outcome. When a user enters a password, you can hash it and compare it with the hash you have on file. If the hashes match, you can tell the user has entered the right password.
This is bad because, the SHA1 algorithm always produces that outcome. The internet is full of reverse-lookup tables (sometimes called rainbow tables) where hackers list the output from hashed strings. If you Google “ec1e7fb8656dba32737acabc2e5a1fb2d02a973f“, you’ll see the unhashed password is the first result.
SHA1 is old, there are (much) better hashing formulae out there but the principle is the same.
Do Not be Tempted to do Your Own Cryptography! Ever!
Very clever people with very big, very powerful computers dedicate a great deal of energy to breaking passwords and cracking open servers. It is likely they will shred anything you put together in moments.
Fortunately, there are very clever people with very big, very powerful computers dedicated to devising systems to keep the black hats out – let them provide you with the security you need.
Better yet, get someone else to handle your authentication. Just as people no longer commonly hold credit card details on their own servers, Google, Facebook and many others allow you to validate users using their data and procedures.
Caveat
Passwords, password security and encryption are big topics – far beyond the scope of this article. Further, the field changes all the time. What is good knowledge now may become a security loophole in a year or two. This article describes what salting and peppering is – but implementation will vary over time.
Understanding Salt in Password Cryptography
A “salt” is a random string that is added to a password before it undergoes the hashing process. The primary purpose of salting is to add uniqueness to each hashed password, even when two users have identical passwords.
The Role of Salt:
- Prevents Pre-computed Hash Attacks: Salting thwarts attackers who use rainbow tables. Since the salt is unique for each password, it renders these tables useless.
- Mitigates Dictionary Attacks: Because each hash is unique, salts also protect against dictionary attacks, where attackers try multiple common passwords to find a match.
A salt is stored with the record itself. So, although a vast improvement on a simple hash, the sense that half the key is available in plain text is uncomfortable.
A predictable salt is also a significant weakness. Do not generate salts yourself. Most programming languages will have built-in functions specifically for the purpose.
The Concept of Pepper in Password Cryptography
While salt is added to a password before hashing and is stored openly in the database, a “pepper” functions differently. Like salt, pepper is a secret value added to the password before encryption.
But pepper is not stored with user records. Instead, the pepper is a fixed value (or a set of values) used across the system. Pepper is kept private and away from the user/password records. Pepper is often hard-coded into the application or stored in a secure configuration file.
The Function of Pepper:
- Enhances Security Against Database Breaches: In the event of a database breach, while salts may be visible. But, if stored elsewhere, the pepper remains secret. This adds an extra layer of difficulty for attackers attempting to crack passwords.
- Acts as a Secret Key: The pepper can be seen as a secret key part of the cryptographic process, making it significantly harder for attackers to perform successful brute force attacks without access to this secret component.
Differences Between Salt and Pepper
The main differences between salt and pepper in password cryptography lie in their implementation and purpose:
- Storage: Salt is stored alongside the hashed password in the database, making it accessible for the password verification process. In contrast, pepper is not stored with the user data and must be kept secret and secure elsewhere.
- Uniqueness: Each password has its unique salt, whereas the pepper is a single value or a set of values used system-wide.
- Security Objectives: While both aim to enhance password security, salt primarily protects against pre-computed hash and dictionary attacks, and pepper adds an additional security layer against database breaches.
The Importance of Using Salt and Pepper Together
Employing both salt and pepper in password cryptography can be seen as the start of a robust security posture. Salt ensures that each user’s password is unique and defends against specific attack vectors like rainbow tables and dictionary attacks. Being a secret and not stored with the user data, Pepper provides an additional hurdle for attackers, even if they manage to access the database.
In conclusion, salt and pepper are indispensable tools in the arsenal of password cryptography, significantly enhancing the security of stored user passwords.
By understanding and implementing these techniques, developers can better protect user data in an increasingly aggressive digital landscape. The combined use of salt and pepper in password hashing algorithms exemplifies the ongoing evolution of cybersecurity measures, aimed at staying one step ahead of potential threats.