Pass the Salt – Salting Passwords
By: MrFaceDecember 16, 2010What is password salting?
As we know, passwords are used for basic encryption of files,
folders, accounts, etc. They are basically implemented in everything we
do now as security is paramount. From system logins to gmail to your
account here, you inherently need one to access the system and most of
the password enforcement requires that a certain complexity be met so as
the account doesn’t get compromised (IE. 8 characters, with at least a
number and uppercase alphanumeric digit.) For most of us, this can be a
pain as if we have multiple accounts and sometimes you can’t use the
“same” password for each account (Note: you should never do this anyways.
Well, salting passwords can help you in your efforts to basically keep
one standard password with extra supposedly random digits added to
increase security. Although, it may seem random, all you are doing is
adding an algorithm to your password for complexity and easy
remembering. The bonus is only you know the algorithm so you can keep
the basic root password and hardly ever have your password compromised.
That is exactly what salting is.
Why should you salt?
As stated above, this increases the complexity of a password and
makes it simple for you to remember without having to access ye ole
master password spreadsheet to find which password goes to what account.
(Note: You should never do that either but, I have been guilty of this infraction in my younger years.
) Additionally with a good algorithm, it increases the complexity so brute force, dictionary, and rainbow table attacks(for more info on these please note the additional information section.
) are greatly hindered in their capabilities.
What do you mean?
Well the explanation of salting above should be easily understood;
however, I will simplify it more. Basically, you will come up with a
standard password (Say: “Password” for the rest of this post) and add
additional digits, letters, special characters, etc to the prefix or the
suffix (or for that matter anywhere you want in the password.)
How do I salt?
Using the password above, we can show you how to successfully salt
it. So, let’s use the example of accessing your account on facebook. We
have Password as our password and we want a good algorithm to salt it
with, so for this example we will append certain digits to the end of
the password. And considering it is facebook, why don’t we abbreviate
that to “fb” and add it to the end.
As you can see, this accomplished a few things.
1. Increased the size of the password to increase complexity making a
brute force or dictionary attack extremely more ineffecient.
2. Even if someone using rainbow tables knows your salt, it
increases their time in actually building the tables, making your
password more difficult to guess.
3. Added a special character to also increase the complexity and reinforcing the first point.
4. Made it simpler to remember because you are on facebook and your algorithm is the abbreviated domain name.
And we can reuse this algorithm for all other online sites we visit.
(IE, newsweek account password would be Password-nw.) I say reuse but
ideally you want to keep the same algorithm for ease of use.
Now, the example above is quite simplistic to just show the idea of
salting and you would want to use a more difficult algorithm for
complexity as well as placement of the salt where only you know where
the algorithm is placed.
Also, it would be ideal to use something in the range of something no one else would know.
Example: My favorite car as a salt.
Again make use of the whole keyboard to increase complexity:
As you can see, this simple yet effective process can greatly
increase your security while making it easier to remember. You always
have the same root password and only you would know your salt algorithm.
More info on salting: http://en.wikipedia.org/wiki/Salt_(cryptography)
Brute force attack: http://en.wikipedia.org/wiki/Brute_force_attack
Dictionary attack: http://en.wikipedia.org/wiki/Dictionary_attack
Rainbow tables: http://en.wikipedia.org/wiki/Rainbow_table
Encrypted password management tools:
KeePass - http://keepass.info/
Passkey - http://www.brothersoft.com/passkey-97911.html
Roboform - http://www.roboform.com/
Good luck, protect yourself and if you require any more information, feel free to send me a PM.
Need more help?
Describe your Problem
Example: Hard Drive Not Detected on My PC