Mar 04, 2013

What are "hashed and salted" passwords?

I was one of the millions of Evernote users who had to reset their Evernote password this morning due to a security breach, but it seemed like most of the articles I saw about it downplayed the risk because passwords were "hashed and salted." While it sounds like a great breakfast order for WaffleHouse, what does hashed and salted mean regarding passwords?

Salt (cryptography)

"In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase.

In a typical setting, the concatenated salt and password are processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. This allows for later authentication while defending against compromise of the plaintext password, even in the event that the database is somehow compromised. The intent of the salt itself is primarily to defeat pre-computed rainbow table attacks that could otherwise be used to greatly improve the efficiency of cracking the hashed password database.
Cryptographic salts are broadly used in many modern computer systems, from Unix system credentials to Internet security.

Salts are closely related to the concept of nonce."

Hashing is using an cryptographic algorithm to convert data like a password into a fixed length sting of characters called a fingerprint. 

Salting is a way to randomize hashes by adding a random string (which is called a salt) before a password is hashed, which makes it much more difficult to crack the password hash. 

This page explains it more thoroughly:


The term that I'm familiar with is a "salty hash" which is what I believe you are referring to. The hashed part means that when a login is created for a system, their corresponding password is not saved as plain text as it appears IT world may be doing, since they just emailed me my password. Instead of plain text, the password is hashed using an algorithm like MD5, so if your password was "bob" the hash might look something like FE12AFZE.... Hashing is a one-way cryptographic strategy, you cannot directly get "bob" back from the hash value.


This is a good first line of defense as it makes it more difficult for the password to be exposed to a malicious user. The problem is that the strong hash functions like MD5 have already been brute force attacked, so you can find or create a reverse lookup and get "bob" back out from the hash.


This is where the "salted" component comes in, where each user is assigned a random salt value that is appended to their password prior to hashing, thus making the brute force attack that much more difficult.


The way that the application can authenticate a user, even though it doesn't have the ability to read their password is by following the same steps that were used when creating the login. The user must provide their username and login to get access to the site, from the user name we can identify their salt and their hashed password, we append the salt to the password they provide and then hash it. From that result we compare it to the stored hash password for a match. With hashing, the odds of two different keys (paswords) is statistically unlikely, so if we don't have the same hash value, then they did not provide the correct password.


I'm sure you can find .net code examples by searching ".net salty hash".

Answer this