Cracking The Code: How Salt & Pepper Secure Passwords
Published on April 14, 2023 by Hemanth
--
Have you ever wondered how your favourite websites and âAppsâ store your passwords? Sure, they all tell you that they handle your passwords âsecurelyâ. But what does this mean? And how secure are your passwords really?
These are the questions that I will be trying to answer in this essay, in addition to explaining the technicalities of handling passwords.
If you are wondering what set me on this journey, it has to do with a new web software application that I have been developing recently.
For this piece of software, I had to learn and implement user authentication and security from scratch. Naturally, I am no where near being an expert on this topic.
But I thought my level of knowledge would at least help the typical user understand what is going on beneath the curtain of password security.
Let me start by answering a very important question:
âHow do websites and online services store your passwords?â
Well, the answer to that question is that they donât! But how can these services verify that you entered your passwords correctly without storing them? Well, therein lies the cornerstone of password security: encryption. Let us begin there.
Think of password encryption as the process of transforming your text-based password input into a secret language, ideally known only to you and your local device.
The resulting output is known in the biz as âhashâ (no, not what you are thinking).
The âsecret languageâ that I just mentioned is nothing but a seemingly random output created by something known as a hashing algorithm.
Modern hashing algorithms are considered one-way operations. In other words, converting the password to the hash is relatively easy, but working out the hash from the password is nearly impossible.
This is simply the nature of these algorithms, given current computing capabilities.
Password Encryption (SHA-1 presented) â Illustrative art created by the author
Your device then sends this hash over to your service provider for storage/verification. Let us say that some bad actors get their hands on this hash. Wonât they be able to send that hash over to your service provider and impersonate you?
Well, that would not work. Hereâs why. Your service provider does not check an incoming hash directly against their stored hash. Instead, they take the input you send them and run it through the same hashing algorithm to verify if they get the same stored hash.
This is another feature of the hashing algorithm. It produces the same output for the same input, even though the output seems random.
In other words, for bad actors to impersonate you, they would need to know your password. But your password never gets stored anywhere other than (ideally) your head.
But in reality, things are not so straight forward. Hackers are a clever bunch.
Passwords Are Not Always Unique
Human beings are more alike than they are different. This feature (not a bug) leads to statistical regularities. It just happens so, that many people, for some reason, think that some particular passwords are safe.
We are talking about many unrelated people using the same password here. For a hacker, this is a dream scenario.
All he or she has to do is to figure out what hashing algorithm your service provider is using, and that gives him or her the potential to impersonate.
There exist huge lists of these statistically regular passwords on the dark web. They are known in the biz are âRainbow Tablesâ. Hackers typically run these lists through the hashing function to generate the corresponding hashes.
Good service providers are on top of these typical rainbow table (or dictionary) attacks though. They intentionally slow down their algorithms by imposing computational difficulty.
This would not bother a stand-alone user trying to log in. But when hackers try to generate hashes for a huge table, it would take decades.
But we cannot call that air-tight security, can we? There are more nuanced solutions we can implement with handling the passwords themselves. This is where Salt and Pepper come in.
A Dash of Salt to Secure Your Passwords
In the realm of password security, Salt is a random string of characters in combination with your password.
Your online service provider comes up with this random string and tags it along with your password before it is encrypted.
All of a sudden, not only does a potential hacker need to know your password to impersonate you, but he or she also needs to know the Salt.
Password Salting (SHA-1 encryption presented) â Illustrative art created by the author
There is an added benefit to Salting as well. The Salt ensures that even if two users have the same password, the stored encrypted versions will be completely different. This is another feature of the hashing function.
It typically outputs completely different strings for minor changes in input. So, in essence, the added Salt performs the following two functions:
1. It adds an extra layer of security to the encrypted password.
2. It ensures that even if two passwords are the same, their hashes are unique to the respective users.
A Pinch of Pepper to Spice Up Password Security
While Salt is a random string of characters, Pepper is a unique string of characters that acts like a master key. It is shared across all accounts, but (ideally) only one authority has access to it: your online service provider.
Typically, the Pepper is stored very securely as some encrypted environment variable at your service providerâs side.
Once you enter your password, the system adds the Salt, and then the Pepper to it before encryption (hash generation).
Password Peppering (SHA-1 encryption presented) â Illustrative art created by the author
Each time you log in, this entire process is repeated to ensure that it is really you who is trying to log in. This is computationally intensive, but it is also the price of password security.
Current password security systems are indeed marvellous. But alas! They are not airtight. There are several ways in which hackers still gain access to your accounts.
Advanced Hacking Shatters Password Security
If you think about it, there is an easy access point for a password. This is when you type your password in.
Hackers develop scripts that run in the backgroundon your device that record your key strokes, etc. This is known as client-side password interception.
And then there is social engineering, where bad actors try to coerce information from you by faking authority (pretending to be your service provider, for instance), and steal your password.
Another route that hackers take is to skip passwords completely, and go directly for the database at your service providerâs side. If your service provider uses weak security for the databaseâs side of things, this leaves them vulnerable.
All in all, there are several ways in which hackers can still get their hands your password/account information. So, what can we do about it? Before I get to that, let me summarise what we have covered thus far.
Summary and Optimal Security Practices
In short, password security revolves around these three concepts:
1. Encryption: This involves hashing algorithms that convert text input to encrypted hash output.
2. Salt: Your service provider adds a random string of characters (Salt) to your password input before encryption. This ensures that even if your password is the same as someone elseâs password, your hashes are still unique.
3. Pepper: Your service provider adds a master key string (Pepper) to all passwords after Salting and before encryption. This just adds an extra layer of password security.
The harsh reality is that even beyond these measures, your passwords are not necessarily safe. Here are 3 steps you can take to minimise (unfortunately, not eliminate) the risk of password breach/compromise:
1. Use complex passwords and employ multi-factor authentication. It makes the task of logging in a pain, but improves security significantly.
2. Make sure that your device and software are updated (up to date). Hackers usually take advantage of people using outdated systems that lack security measures. This is what enables them to run scripts that track your keystrokes, etc.
3. Choose your online service provider wisely. I know. This is like a lucky draw; even the best of service providers can be hacked. But with the sheer number of âlow-codeâ, âno-codeâ, and non-technical startups offering technical solutions these days, I suggest paying attention to technical reputation and experience.
Now, it is time to wrap up. I hope that you gained a finer understanding of how password security works from this essay, and wish you a safe and secure online experience!
If youâd like to get notified when interesting content gets published here, consider subscribing.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking âAcceptâ, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-advertisement
1 year
Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent
1 year
Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Cookie
Duration
Description
_gat
1 minute
This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
__gads
1 year 24 days
The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga
2 years
The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_R5WSNS3HKS
2 years
This cookie is installed by Google Analytics.
_gat_gtag_UA_131795354_1
1 minute
Set by Google to distinguish users.
_gid
1 day
Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT
2 years
YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
IDE
1 year 24 days
Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie
15 minutes
The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE
5 months 27 days
A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC
session
YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices
never
YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id
never
YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
Comments