Search TQA Weekly
Log into your TQA Weekly

What Is A Hash, And Why Does It Need Salt?

An explanation what Hash is, how it works, and how salt always makes it better.

Steve Smith, host of your TQA Weekly, explains why hashing is important, why salt always makes it better, and other interesting facts and tips on the manner.

Episode #2-38 released on June 17, 2012

Too often web-sites store plain text versions or unsalted passwords in databases that can be brute forced into revealing the contents of your account for the world to see. If your password was hashed and salted correctly, the only thing the hackers would have is any data that was unencrypted data points like your name, email, etc... The contents of databases do depend on the database designer, and there is just so much you can do. Today, I want to explain to you the importance of hashing, salting, and how it compares to normal encryption routines.

Now, encryption usually uses a pass-phrase to encode the contents of a file, data or directory structure in a secure fashion, and this means you can reverse the process by reusing the same pass-phrase. Hashing is encryption based on math, and because it encodes the data in a secure manner it can not be reversed. It is only usable as a method to compare data like passwords for web-site accounts and devices. If you go onto a web-site that hashes your password, what the login process is actually doing, is comparing the result of the hash to the hash enclosed in the password database. There are many kinds of hashing algorithms like MD5, SHA, etc... The most commonly used are those I just mentioned, and SHA does have flavors, or versions, if you prefer I say that.

Now, even if we can't reverse engineer the password or pass-phrase from the hash, we can create our own rainbow tables. Now, using MD5 is not anywhere near safe and is current at an end of life status. My own video editing machine is capable of hundreds of thousands of conversions in one short day, and this is because it was made in the early 1990's and was designed for much slower machines. SHA is a more computationally expensive algorithm that is intentionally slower to make it safer and more secure. The issue with SHA0 and SHA1 is that they are currently broken and Rainbow Tables of MD5, SHA0 and SHA1 already exist.

This brings us to salting. Salting a hash means adding a fixed or randomly generated piece of information to each of the passwords or pass-phrases to create a unique hash result. This has the benefit of forcing the password crackers to create a new rainbow table for each new salt connected to a specific hash. This can be made to be even more difficult by adding a fixed and random salt to the hash of the password or pass-phrase making it computationally too expensive and time consuming to be creating a rainbow table for each user. Need less to say, we should never store the salt for each user in the database, or include the fixed salt in the database in order to make it even more difficult for password crackers.

What does this mean for you, the user? Well, not usually much. You can't know if a web-site is following this protocol, a better or worst one until they get hacked, then and only then, are you going to learn if they encrypted, salted, hashed, or any combination of the three, the contents of the database. More importantly, your passwords. The only thing you can do is, use a different password or pass-phrase for every single web-site, service, computer, etc.. you use. If a web-site offers a two step verification, use it. Facebook, Google, Blizzard, Paypal, etc.. use and offer two step verification for login. Change your passwords and pass-phrases often. Maintain a list of current passwords and pass-phrases in a safe place, preferably not on your computer or use an excellent service like LastPass. And, to make things even for difficult for password crackers, don't use words in your password or pass-phrase, in fact, refrain from the use of common names, words, sentences, anything popular, even avoid using 311t3/elite in your password or pass-phrase because password crackers know about it, and they actively search for it. If your password or pass-phrase is complete gibberish, then the password cracker may not know if the result is still hashed or not.

Tip: If you ever register to a web-site, and they send you an e-mail with your password or pass-phrase, they do not employ hashing, encryption or salting for any manner. Please e-mail them, ask for them to change their ways, and report them to Plain Text Offenders at http://plaintextoffenders.tumblr.com/. And, do not put any personal information into those web-sites. You can thank Shannon Morse from Hak5 for that information, I got it directly from her on the latest episode of Hak5.

Next week, I will be diving into the world of Windows, lost passwords, corrupted password files, and what you need to do to prevent anything bad from happening to you. For links to Wikipedia on hashes, LastPass, Hak5, and our show notes go to http://tqaweekly.com/se2ep38.

Remember to like, share and subscribe to TQA Weekly. For more information like our show notes, how to join our mailing list, get your own TQA Weekly branded gear and apparel, or for our Android Application, please visit tqaweekly.com. Stay safe and online, have a great day!

Host : Steve Smith | Music : Jonny Lee Hart | Editor : Steve Smith | Producer : Zed Axis Productions

Sources & Resources