What is salting ๐ง?
Salting is the process of adding data into a value before hashing.
What is hashing #๏ธโฃ?
Hashing is the process of converting data into a fixed-length string.
fixed-length: all hashes will have the same length
โ ๏ธSomething important to highlight is that hashing is not encrypting; Hashing or encryption depends on what the ultimate goal of that obfuscation is (orginisation regulations are a factor).
Here's an example:
User 1
(~๐ง): echo password | sha256sum 6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e>
User 2
(~๐ง): echo password | sha256sum 6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e>
The hashed passwords are identical; and that makes sense, they're the same password passed through the same algorithm. The problem arises when two separate users have the same hashed password and a bad actor gets a hold of these password and they can draw similarities.
Hypothetical scenario of compromised data:
User 1 uses the same password for every-site (not an uncommon thing). One of the sites gets their user-data leaked (also not an uncommon thing) which happens to have User 1's raw password stored. Then another site gets leaked that has User 1 and User 2's passwords that are hashed (but not salted). It's as easy as running a grep
search and comparing hashes.
Adding a random SALT:
User 1
(~๐ง): echo 01anv3password | sha256sum afe1f6368ce0f7400ee266d52908e190e64779f2f91f4824ea8f1e595fe76ae1
User 2
(~๐ง): echo aKdu4ppassword | sha256sum a0c787128946d0319fbbbd41312a37c274d7dee345bfad74fca4c670c1bcfea5
From above, adding a random six character SALT changes the hash completely.
Conclusion
- Salting is the process of adding data into a value before hashing it
- Salts should be random
- Hashing is converting data into a fixed-length string
- Hashing is not the same thing as encryption
[๐งN.S]
Top comments (0)