Pass the Salt – Salting Passwords


By: MrFace
December 16, 2010

What is password salting?

As we know, passwords are used for basic encryption of files, folders, accounts, etc. They are basically implemented in everything we do now as security is paramount. From system logins to gmail to your account here, you inherently need one to access the system and most of the password enforcement requires that a certain complexity be met so as the account doesn’t get compromised (IE. 8 characters, with at least a number and uppercase alphanumeric digit.) For most of us, this can be a pain as if we have multiple accounts and sometimes you can’t use the “same” password for each account (Note: you should never do this anyways.) Well, salting passwords can help you in your efforts to basically keep one standard password with extra supposedly random digits added to increase security. Although, it may seem random, all you are doing is adding an algorithm to your password for complexity and easy remembering. The bonus is only you know the algorithm so you can keep the basic root password and hardly ever have your password compromised. That is exactly what salting is.

Why should you salt?

As stated above, this increases the complexity of a password and makes it simple for you to remember without having to access ye ole master password spreadsheet to find which password goes to what account. (Note: You should never do that either but, I have been guilty of this infraction in my younger years.) Additionally with a good algorithm, it increases the complexity so brute force, dictionary, and rainbow table attacks(for more info on these please note the additional information section.) are greatly hindered in their capabilities.

What do you mean?

Well the explanation of salting above should be easily understood; however, I will simplify it more. Basically, you will come up with a standard password (Say: “Password” for the rest of this post) and add additional digits, letters, special characters, etc to the prefix or the suffix (or for that matter anywhere you want in the password.)

How do I salt?

Using the password above, we can show you how to successfully salt it. So, let’s use the example of accessing your account on facebook. We have Password as our password and we want a good algorithm to salt it with, so for this example we will append certain digits to the end of the password. And considering it is facebook, why don’t we abbreviate that to “fb” and add it to the end.

Original: Password

Salted: Password-fb

As you can see, this accomplished a few things.

1. Increased the size of the password to increase complexity making a brute force or dictionary attack extremely more ineffecient.
2. Even if someone using rainbow tables knows your salt, it increases their time in actually building the tables, making your password more difficult to guess.
3. Added a special character to also increase the complexity and reinforcing the first point.
4. Made it simpler to remember because you are on facebook and your algorithm is the abbreviated domain name.

And we can reuse this algorithm for all other online sites we visit. (IE, newsweek account password would be Password-nw.) I say reuse but ideally you want to keep the same algorithm for ease of use. :)

Now, the example above is quite simplistic to just show the idea of salting and you would want to use a more difficult algorithm for complexity as well as placement of the salt where only you know where the algorithm is placed.

Examples:

fb-Password
Pass-fbword

Also, it would be ideal to use something in the range of something no one else would know.

Example: My favorite car as a salt.

Pass-gt500word
gt500-Password
Password-gt500

Again make use of the whole keyboard to increase complexity:

Pass-3@tm3word
3@tm3-Password
Password-3@tm3

As you can see, this simple yet effective process can greatly increase your security while making it easier to remember. You always have the same root password and only you would know your salt algorithm.

Additional Info:

More info on salting: http://en.wikipedia.org/wiki/Salt_(cryptography)
Brute force attack: http://en.wikipedia.org/wiki/Brute_force_attack
Dictionary attack: http://en.wikipedia.org/wiki/Dictionary_attack
Rainbow tables: http://en.wikipedia.org/wiki/Rainbow_table

Encrypted password management tools:
KeePass - http://keepass.info/
Passkey - http://www.brothersoft.com/passkey-97911.html
Roboform - http://www.roboform.com/

Good luck, protect yourself and if you require any more information, feel free to send me a PM.
-mrface


Need more help?
Describe your Problem
Example: Hard Drive Not Detected on My PC

Ask Question