Why Should I “Salt” My Passwords?

The password has become an everyday part of life for people who use the internet on a regular basis. And these days that is most people.

For most of the web sites that we go to we are required to use a password to interact with them. For right now, this is the only way that we are able to keep ourselves secure. There is no way in the world where you would feel comfortable on a web site that was asking for your bank information if you did not have to log onto to the site to use it. But us coming up with a secure password is only part of the problem when you are talking about security on the internet.

If we want to be sure that we are truly secure when we use a web site, we must make sure that the web site is handling our passwords securely. If you come up with a good password but someone is able to infiltrate the database because of a lack of security on the web site’s part then your password is basically no good.

salting-passwords

There are several measures that you can ask the administrator about to see if a web site has good password security or not. One of the questions to ask is whether they “salt” their passwords or not.

In this article I will show you how a web site “salts” the passwords that they store and how you can use the same technique to come up with good passwords on the many different sites that you use as well.

How Do You “salt” A Password?

In the computer world there are a lot of terms that have a food origin. You may hear certain terms like “cookies” when you are on a web site. “Salt” is one of those terms.

The term “salt” means that when a web site stores your password, they do not store it in the format that you gave it to them. For example, if you gave them the password “dog” (by the way, a horrible password), then they will place a generic number combination such as “1242245-dog” in front of it. This number is randomly generated. This means that it would be hard for someone to try a sql injection attack by using known passwords.

Salting the password is only the beginning.

There are other things that a server operator will do to be able to make sure that the password that is stored in the database of their web site is hard to guess. They will also do things such as encrypt the password when it is set. This means that the password goes beyond the text that you inputted. It is now indecipherable to human eyes but a computer is able to understand it.

So salting and encrypting the inputted password allows the server operator to make sure that black hat hackers would have a hard time getting past their security.

Since this is a technique that works, you would think that all web sites would use it. Unfortunately that is not the case. There are several major web sites that have been breached in recent months by techniques that would have been stopped if only the web site had salted their passwords.

Should You “salt” Your Own Passwords?

There are a few salting techniques that you can try with your own passwords as well. The technique can help you have better security practices by using longer passwords. A technique of a user salting their own passwords is by using the same base password for the web sites that they go to. After that they append a prefix of the site that they are visiting.

For example, if you are signing up for an account at the web site example.com, you can use this as a password, “example-basepassword”.

That gives you an easy to remember but at the same time random and long password to use. The “salt” portion of the password is the web site’s name. And what makes it even better is that you do not even have to use the whole web site’s name.

To make it even more random, you can come up with a technique of skipping letters out of the web sites name. This way it makes it even harder for the bad guys to see the pattern that you are using.

You might be able to come up with even more creative ways of salting your password for security purposes.

The “salting” of passwords is one of many techniques that a server operator can use to make sure that someone is not able to hack into their web sites by using any of the old password cracking techniques.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Trackbacks

  1. […] you are making a web app, and you have to use a password then you encode it, salt it after that, and then put it in a database. If you look on the web, you will see that some people […]

  2. […] can see, after it is explained hashing a piece of data is not that complicated.So now we move to salting a password. Salting is the act of putting a word, random or normal, in front or behind the password that the […]

  3. […] well.Whatever the case may be just change it to be on the safe side.Make sure the new password is a good long password with both letters and digits.Making sure that the old web services you used to consume is safe is a […]

  4. […] This post was mentioned on Twitter by Deborah Weinstein, Kevin Kirkpatrick. Kevin Kirkpatrick said: RT @security_faqs Why Should I “Salt” My Passwords? http://bit.ly/i7WmhJ […]

Speak Your Mind

*