Salting & Hashing🍳

Neo Sahadeo — Thu, 11 Jul 2024 13:07:32 +0000

What is salting 🧂?

Salting is the process of adding data into a value before hashing.

What is hashing #️⃣?

Hashing is the process of converting data into a fixed-length string.

fixed-length: all hashes will have the same length

⚠️Something important to highlight is that hashing is not encrypting; Hashing or encryption depends on what the ultimate goal of that obfuscation is (orginisation regulations are a factor).

Here's an example:

User 1

(~🐧): echo password | sha256sum
6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e>

User 2

(~🐧): echo password | sha256sum
6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e>

The hashed passwords are identical; and that makes sense, they're the same password passed through the same algorithm. The problem arises when two separate users have the same hashed password and a bad actor gets a hold of these password and they can draw similarities.

Hypothetical scenario of compromised data:

User 1 uses the same password for every-site (not an uncommon thing). One of the sites gets their user-data leaked (also not an uncommon thing) which happens to have User 1's raw password stored. Then another site gets leaked that has User 1 and User 2's passwords that are hashed (but not salted). It's as easy as running a grep search and comparing hashes.

Adding a random SALT:

User 1

(~🐧): echo 01anv3password | sha256sum
afe1f6368ce0f7400ee266d52908e190e64779f2f91f4824ea8f1e595fe76ae1

User 2

(~🐧): echo aKdu4ppassword | sha256sum
a0c787128946d0319fbbbd41312a37c274d7dee345bfad74fca4c670c1bcfea5

From above, adding a random six character SALT changes the hash completely.

Conclusion

Salting is the process of adding data into a value before hashing it
Salts should be random
Hashing is converting data into a fixed-length string
Hashing is not the same thing as encryption

[🐧N.S]

Demo post

Neo Sahadeo — Wed, 03 Jul 2024 19:51:38 +0000

please no reading

DEV Community: noted