Home Services About Us Information
Sign In
Services:Web Application Development :Technology:Security:Encourage good practices:

Salt and strong passwords


Why is salt good?

Assume the attacker gets a copy of the file with login ids and hashed passwords. Attacker wants to recover the clear text of the passwords. But they are hashed and its not possible to decrypt a hashed password. Or is it?

A common 40,000 word dictionary of common English words including common proper names and a copy of the SHA-1 hashing algorithm will be all he needs to crack most of the weaker passwords. This will cover the all time favorites like "secret" and "password." The SHA-1 of "secret" is e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4. Matching that exact character string against all the password entries in an unsalted database would find all the ID's with the password "secret."  An attacker's dictionary includes forward and reverse spellings of  40,000 English words words, thousands of common words in languages other than English and thousands more common names. Use the SHA-1 hashing algorithm to hash every word in your dictionary. If you have time, go ahead and increase your workload by 10 and append a single digit to each dictionary word. Also capitalize the first letter of each word. You'll end up with a file of a few million unique hashes. Most PC's can compare about 10 million entries per second. Given a little more time the attacker can try more combinations.

Match the hashes to the stolen password hashes you found. Many will be the same and you will know the clear text passwords for more than 20% of the IDs in the stolen file. This approach won't get you any further with the other passwords, however if you are persistent you can probably crack a few more by trying more digits and different caps and common two word combinations.

If the password file had been salted, the attacker's job becomes much more time consuming. Unique salting means each attack can crack only a single password. When an attacker gets a match he has cracked only one password and the rest of the file remains secure.

(As of 2008, security specialists estimate they can harvest 20% of the passwords with such an attack. Some corporations evaluate their own systems and notify users when they detect weak passwords.)

Best Bet: Use a strong password of eight or more characters that are not a word in any language. Include at least one capitalized letter and one or more numeric digits.