Sunday, June 17, 2018

Salts in Passwords

This one is inspired by a comment I read on twitter; essentially someone said that you should use a salt in your password hashes, which is obviously true. However it could have been fleshed out a little bit more than the 280 character limit allows.

Let's take a look at what a salt is:

$ openssl passwd -1 password

I've bolded the salt here - using md5crypt because the actual hash doesn't matter too much and this at least fits on one screen. These days, sha512crypt, bcrypt or something even better is to be preferred.

Above we have hash type, salt and the actual hash, separated by "$" characters. So, why do we have the salt? 

Essentially, if I can get hold of your password hashes and there's no salt, I can try every single password guess against the whole list of users at once - it's just as fast to crack 1,000 passwords as one password.  It also makes it computationally infeasible to build a mapping from password to hash, as we can make the size of the map completely silly.

So - your salt should be cryptographically random and long enough (8 base64 chars here I think, so 48 bits worth).  This means when I'm cracking, I have to perform a computation per individual hash, and not one for the whole lot like I can with plain SHA1 or NTLM.