Salt and hash your passwords

Encryption attempts to secure information by passing it through algorithms that are difficult to crack without the appropriate keys. By definition anything encrypted can be reverse engineered by design.

Hashing takes a string (A) and passes it through an algorithm to make another string (B) in such in manner that reverse engineering string (B) to string (A) is practically impossible .

When storing passwords they are more secure when hashed (as hashes are not designed to be reversed). In this case the password is not recoverable but is comparable. If a user supplies a password it can be hashed and compared to the original password to determine if it valid. If they forget their password they need to provide a new one.

One approach to cracking a hashed password is to simply take a large dictionary of passwords and encrypted\hash them with a known algorithm to create a rainbow table. Then if a hacker can extract a list of password from a site they simply compare the stolen list with their rainbow table and identify the password. Salting can prevent this approach by using a random string as a start point to the hashing process. The salt is stored with the as part of the hash or alongside it. This means that a hacker would need a rainbow table of possible passwords for each possible salt, in practical terms a limitless combination.

Any system in which you can recover your password (as opposed to being issued a new one or a reset link) is a sign that the system is not particularly secure, as any password stored correctly (hashed and salted) cannot be recovered.

By aware if you are taking ownership of an older system (many years old) that encrypts password the encryption process may no longer be considered secure.

Instead use a modern industry standard approach such as Microsoft OWIN providers in order to have a good starting point.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s