Would you like some Salt on your Hash?

Salted Hash – The one-way encryption for password security.

Hash the passwordsOk, I’m not talking about that potato hash you love with your eggs.  I am talking about the encryption hash that needs to be used to safeguard computer data files like passwords.

 A hash is an encryption algorithm that takes any size block of data (called the “message”) and then calculates and assigns it a fixed size valuation (called the “hash value”).  For example, hashing of the word “Password” might generate the valuation “15c626b06ae6624f47404d0728”.  Every time the same hash is run through the same message the same valuation will be calculated.  This is a great way verify that no changes occurred in the message during access or transmission since even the smallest change will generate a completely different hash value.

What also makes hashing so popular in computer security is that it’s a one way encryption; meaning that the hash value calculated cannot be reversed to recreate the original message. 

More and more password data files are no longer storing user passwords in cleartext.  That’s because if a massive security breach occurs then all the cleartext password files would be compromised.  Hashing the passwords and storing only the value greatly reduces the danger.  Note I said reduces, not eliminates the danger.  That where a little salt is added for flavor.

A bad tasting Hash. 

The problem with hashing alone is that the same value is calculated for the same message.  Since users generate some passwords more frequently than others, and hackers know which ones they are, a hacker can break a large hashed password file within days. It only takes a large electronic dictionary, a fast computer clusters and a simple program. The thief’s computer generates a random seed using one of the common hash algorithms like MD5, SHA1, or SHA-2.  A hash value is assigned to every entry in their electronic dictionary, which takes less than second for 5 million different entries. Finally a simple program compares the hacker’s values to the data file’s values and looks for a high number of occurrences.  This is repeated over and over again by the computer.

Adding some Spice to the Hash.

The hashing algorithm uses a number, called the “seed”, to calculate the hash value.  Every incident of the word “Password” will generate the exact same valuation.  Since Password is one of the top five passwords used, hackers are able to sort the password file for most frequent values to reverse engineer the seed. 

So instead of using the same seed for every calculation, salting assigns a unique seed to each hash calculation. Now each incident of the word “Password” will have a different hash value.

For simplicity, say you have a database of ten password entries with ten different valuations ranging from 0-9 and no repeates.  A hacker steals the password file, then runs their hash algorithm and finds that the word “dog” has a valuation of 4.  Since the valuation of 4 only appears once, the hacker then tries another seed and finds again only one word has the valuation of 4 but this time it’s the word “cat”. So is the password “dog” or “cat”? Another seed calculates the value 4 for the word “bird”.  Since a hash value cannot be reversed back to the original text, all ten of the passwords can be identical and there is no way to discover the correct one; and since the hash value only appears once, the idea of cracking the most popular password is also thwarted.

 About Access Smart

Founded in 2005 and headquartered in Ladera Ranch, California, Access Smart, LLC is a one-stop-shop offering a wide range of logical access products (software, licenses, cards and readers) to make network authentication deployment fast, easy and inexpensive. We are dedicated to empowering businesses, agencies and institutions to securely regain control over their computers and networks at the point of entry. Authentication, authorization and non-repudiation do not have to be cumbersome to be effective. That’s why our products are designed using state-of-the-art security technologies while focusing on ease-of-use and low-cost-of-ownership.

Previously, smartcard technology was only affordable to large government agencies and Fortune 500 companies. Access Smart has turned that model upside down by utilizing existing infrastructures and matching the technology to the needs.  Please contact Access Smart for a no obligation consultation on how best to implement Authentication, Authorization and Non-Repudiation into your business.  Access Smart – The Alternative to PKI.