Why Hashed And Salted Passwords Still Get Exposed

In any business or culture that you are a part of, there will be simple rules that you are expected to follow. Sometimes these rules are made just for the sake of there being rules on the matter and other times the rules are made for good reasons. There are times when the rules are made just because someone has tried it a certain way and it turned out to be foolish. So in seeing that the way was foolish, they then tell all of the people who follow them to go a certain other route.

In the world of computer security, just like in other aspects of life, there are certain rules and protocols that you are supposed to learn early on. This is so that you will be able to stop the attackers that try to invade which ever system that you are guarding. And it is not just the security people either. If you are in charge of programming and making the software that is going to be on the network and exposed to the world then you have to worry about certain basic security protocols also. Even though certain programmers like to think that computer security is the job of the expert consultants that is not the case at all. If the software that you are coding is not secure to the best of your ability then that means that you have left the job half done and you really should try to finish it.

Why Hashed And Salted Passwords Still Get Exposed

What are the basic rules that we are discussing?

While there are many basic rules in security that we could discuss, we are only going to focus on one right now. And that is with good reason. We are focusing on this one rule right now because it is one of the few rules of computer security that directly needs to be worked on by both the programmer who is creating the software and the security consultant who is in charge of the network. And this rule is to always make sure that the passwords which are created by the end users are always salted and hashed. While even though the programmer and the security consultant might not ever meet or work for the same company, if they are interacting by way of an end product then they must make sure that each person does his or her job or the system will fail.

So what does hashing and salting passwords mean?

While this might seem simple to a person who has been exposed to it already, to the person who this is new to, it can be an overwhelming concept. In our explanation we will talk about hashing first and then we will move to salting. Salting may be the easier of the two when it comes to explaining the process.

When you hash a piece of data when it comes to programming that means you are turning that data into a number set. A function is used to turn that data into a number. The piece of data will always be consistent on that system with that number. For example, if we have the word “hello” and we want to create a hash of it we then place it in a function that does hashes in that particular programming language and then we get an output of 2320338. That is not the real output but just an example. So hashing data means that a person who is just looking at it without any software help cannot see what it means. They would have to decrypt it with another program. So as you can see, after it is explained hashing a piece of data is not that complicated.

So now we move to salting a password. Salting is the act of putting a word, random or normal, in front or behind the password that the user created. If your password is “hello”, then when it is salted it will become “344a-hello”. This is done because even if the password in encrypted, if it is easy enough, it can still be broken. But with a salted routine, you make the password more complicated and harder to break. And the end user who made the password will never even know about it. All they see and all they have to input is the original password.

While both of these routines are pretty standard fare these days, you will still see people forget to use them. But even worse than that, some people in the security world think that they are a cure all when it comes to security. That is not true. With enough time and a strong enough computer, a black hat hacker can still break a hashed and salted password. When it comes to computers these days, hardware is relatively cheap and so it is easy for a black hat hacker to get the hardware that he needs to crack the password. That means that you have to have the whole system secured and not just rely on one trick of the trade.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Speak Your Mind