Salted and Hashed (Not Breakfast!)

Using a login and a password is the primary way that users authenticate, not just at SendThisFile, but everywhere online. By now, when you create a username and password, there is usually a system in place that insists on a “strong” password, which usually means it consists of more than a minimum number of characters that are: alpha, numeric, uppercase, lowercase, and contain special characters like, an asterisk or a dollar sign. If you want to know more about passwords and the common mistakes people make when creating them, there’s a great TED talk on that very subject.

This hash makes me hungry. The hash function does not.

But, the topic of this post is about what happens behind the scenes. Most end users probably think those strong passwords they create are the main thing keeping their account safe. In reality, just using a login and password is really not much protection. Passwords are only part of the authentication process. That’s where salt and hash come in to play.

Have you heard the term salted and hashed? You may have heard it in a context like “secure salted password hashing.” If the words don’t make you hungry, you probably know that it has to do with passwords. At SendThisFile those are just part of a process we follow to keep our customers’ data secure.

The Nitty Gritty

But what does it really mean? Let’s first break down the terms, here’s what Wikipedia currently says about each:

Hash – any function that can be used to map digital data of arbitrary size to digital data of fixed size, with slight differences in input data producing very big differences in output data.

Salt – random data that is used as an additional input to a one-way function that hashes a password or passphrase.

As an example, let’s say a user creates an account, consisting of their username and password. A hash algorithm will be used to create a “fingerprint” of their password. So, in our example, if the password is: D!rt75ne@k3S, let’s say the system’s fingerprint for that is: 2cf24dba5fb0a30e26e83b2ac5bc6bd9ec38f616560b120fda8e90f383853542

And changing even just one digit of that password would have created an entirely different fingerprint. To some, the hashed password already seems as impenetrable as Fort Knox. But hackers aren’t just anyone, they’re smart, they’re persistent, and they use tools that can guess passwords over and over again until they crack the code. And, in hashing, the code is the same each time, so if the code is cracked, the hacker gets in.

This is not the salt you’re looking for.

So, that is why we add salt. When a password is created, a random salt is added to the password before it is hashed.

So, in our example above, the following might happen:

To our password: D!rt75ne@k3S we add this salt: S1T7F2C8L9G

When you put these together, it returns an entirely different hash than the original password, so we get:

e20d50e2642992841d8338a314b8ea1j24dba5fb0a30e26e83b2ac5b9e29e1

If the salt is random and different each time, this also prevents users who choose the same password from having the same hash.

Secure salted password hashing is just one way that SendThisFile keeps your password and login safe behind the scenes. Security practices from the customer side are important too. Many of our customers in the financial and medical sectors require their users to regularly change their passwords and to practice common security practices. It’s always a good practice from the user side to change passwords on a regular basis, no matter what industry you’re in, and if you’re the administrator of a group of users, to remind your users to do so.

Image Credit

Image Credit