Getty Images/iStock

Hash, Salt and Pepper: How cooking your password makes it safer

These cryptography steps can make a difference if a web site is hacked, and why you want this done to your credentials

Like GearBrain on Facebook

Data breaches are a nearly daily occurrence, with passwords and other personal data captured by hackers from the companies where you shop, eat and bank. Often, though, the password you diligently remember when you order groceries for the week, has been stored in a way that protects you fairly well. That process is called hashing, with a second step, called salting, and a third called peppering. All three can be used together — often they're not — but even one step one can help to lock down your special word, phrase or string of characters even more.

Here are the differences between the three, and most keenly why you should want to make sure that the companies you entrust with your business, also take steps to protect your information too. Even if you use a password manager to securely store your own credentials, hopefully the places where you go online are taking these security measures too.

Hashing, salting and peppering passwords Hashing transforms your password from plain text to a new outputGetty Images/iStock

What is Hashing?

Hashing is a way of transforming your password into a unique identifier and fingerprint that are hard to invert and essentially reverse. Basically you're mincing up your data, and creating a fixed output. Why would you want to use a hash? If a password is just stored as plain text, then if a hacker gained access to that data they would have the keys to your account — and potentially others if you've reused that password in other places.

"If you use the more simple implementation, and not have [passwords] hashed at all, and a password data base is breached, everyone's password is fairly accessible," Arve Kjoelen, chief information security officer at McAfee told GearBrain.

So that's why many companies will say, if they've been breached, that while their database was captured, it contained hashed passwords. Think of these then as phrases that have been encoded into a secret language. You really can't reverse engineer a hash. But intrepid hackers can try and find the secret language, pushing a slew of words through coding, and then compare those results with hashed passwords. They may not know the hash a company has used, but they can just compare their hashed collection to a company's and try to match the hashes together. If they find a match — they can then figure out the password.

And that's exactly what some hackers do, Jim Miller at Trail of Bits told GearBrain.

"An attack called a rainbow table can generate a giant value where they compute the hash of those passwords," said Miller, a serious security engineer for Trail of Bits' cryptography team. "And so an attacker can compare those values against the table and easily identify a password in a database."

Not great. So that's why many companies then take a second extra step — called salting.

Hashing, salting and peppering passwords Salting adds another layer of security, attaching a new random character to your passwordGetty Images/iStock

What is Salting?

Salting works a little bit as it sounds. Just like the way people add salt to their food, salting in cryptography adds another element to your password, designed to make it just that much harder to crack or guess.

The way a salt works, a random character is assigned to your password — the same random character each time — but you, nor even the company, knows what it is. Then, your new password, what you think of as your password plus the added salt, is hashed. And voila, you have something that is pretty hard to decipher.

"You can find a rainbow table online," said Miller. "But you can't predict what the salt value will be, and so that makes the table useless."

You never see this process when you're logging on to buy those books for class. Instead, you're just entering your password, and the system is looking up the salt for you, and then the hash. And that happens in less than a second. It does cost more to add this second, salting step, but it's that extra step that helps locks down a consumer's information — and protects a company's reputation too.

"You don't have to salt passwords to be more secure, but it's the right thing to do," Dave Hatter, a cybersecurity consultant in Cincinnati, Ohio told GearBrain.

Hashing, salting and peppering passwords Peppering takes your security to another level, assigning another value and storing that away from the original password Getty Images/iStockphoto

What about Peppering?

Peppering takes the whole salting concept another step further, and assigns a second random value to the password — but this value is never stored with the salt nor the password.

You could think of a pepper is just an extra salt. But the pepper is a not only a secret key that only shows up when a customer is logging into a site, it also has to be stored in a separate location so it actually remains a secret.

You may be able to guess the hash, and even get into the salt, but if the pepper is somewhere physically elsewhere, a hacker would have to have access to both databases to really make any headway.

"Peppering improves the security of a salt and hash because without the pepper value, an attacker cannot crack a single hash," Hatter said.

So what should I do to protect myself?

First, you should make sure you're doing the basic security steps to protect your password and secure your digital life. That includes basic things from changing the default password that comes on your new device to not using your child's name as your across the web. (Please.) These are actions you can take on your own — and they're free.

Then, you wouldn't be wrong to check to see how the company you're working with, whether that's your financial institution or the online grocery store where you regularly shop, is securing your personal data including your password.

You don't have to be a coder to understand whether a company is encrypting data you enter into their web site. You just have to be willing to make a decision on whether you want to work with those firms who are trying to protect your accounts, or not. That's a step many people should consider taking.

"I think consumers should be aware of the various ways of storing their passwords," said McAfee's Kjoelen. "And if it's not stored securely, when there is a breach, those passwords could potentially be cracked."

Like GearBrain on Facebook
Show Comments ()

THE GEARBRAIN