Internet Security III: Salting Your Hashes

I dream therefore I Am.


Salting your hashes helps protect against rainbow attacks. No I'm not making this up, this is fairly basic web security.

If you waded through my previous rambles on this topic you'll recall that hashing is a way of protecting user passwords. A hash is an algorithm that generates a very large number from data (often text). The hash represents the data, kind of like a fingerprint. Hashing can be used as a way to verify that data hasn't been tampered with - if the hash is transmitted with the data then you can hash the data yourself and check it matches what is expected. Hashing is also a way to check passwords without having to store the password. When a user supplies a password the password can be turned into a hash and compared with the stored hash. If the two hashes match then the user has supplied the right password and this can be done without having to store the password. This improves security because if you don't store the password you can't leak the password.

Unfortunately however, as I explained, this is vulnerable to a type of attack called a "brute force" attack. If an attacker knows the hashing algorithm in use they can simply try every possible password until they find the one that matches the hash. One way to reduce the risk of this is to use a very slow hashing algorithm, so that trying every possible password becomes very difficult.

Alas, the bad folk are as intelligent as the good folk. Our saving grace is that being good requires less deception which in the long run makes it more effective, the problem then is trust and there are various ways to establish trust or to co-operate with people without having to trust. All topics for future ruminations.

Although slow hashing protects against brute force in theory, there's another class of attack it doesn't prevent and these are called "rainbow table" attacks. (Don't ask me why, but I bet google knows - probably because a rainbow has all the colours.) As well as computers getting vastly faster (I refuse to use the word exponentially because it actually has a meaning and this aint it) storage has become vastly cheaper too. There are only a finite number of common slow hashing algorithms and if you want to be secure you ought to be using a well understood one. Sadly that means an algorithm known to your attacker too. For those not in the know, which now doesn't include all UK schoolkids below a certain age, an algorithm is a series of steps to achieve a result. Like a cooking recipe. I love that children are now taught this.

An attacker who knows what hashing algorithm you're using can pre-compute all the hashes of every possible password. This is called a rainbow table. It takes a lot of time and a lot of storage space, but once it's done it's done and then your one way hash is broken! The point of a one way hash is that it's easy to turn a password into a hash but hard to turn a hash back into a password. If you've calculated all the possible hashes of all the possible passwords then it's easy to go from a hash back to a password - you just look it up in your rainbow table!

This incidentally is why password security nowadays is mostly dependent only on the length of the password you pick. Working out all the possible hashes for a five character password is mahoosively easier than every possible hash for a ten character password. The comic-and-generally-all-round-genius XKCD recommends that instead of picking a password you should use a pass-phrase, and maybe throw in a number and symbol to throw off dictionary attacks (passwords comprised of words in the dictionary are common, so attackers try these first). Added to this "my-horse-only-p33s-in-the-bedroom" is much easier to remember than "f&fadjsd!!00ffr". The pass-phrase is dramatically more secure, simply because it's longer and it would take a million more computers for a million more years to break it (uhmm, approximately). This is why websites that have a maximum length for your password are being stupid as well as lazy. They've made a security decision to make lives easier on their database rather than making a security decision for security.

The way round this is to salt your hashes. Instead of hashing just the password you pick a random salt (a word or string of characters) and hash the password plus the salt. You need to store the salt alongside the hash, and always use it when checking the password. Now a rainbow attack doesn't work because each password has a different salt, so they'd need a different rainbow table for each "password plus salt" combination. So even if your database of password hashes plus salts leaks the attacker still has to compute or already have a rainbow table for every salt. Effectively you just made every password a lot longer, and longer in a different way for each password, making the required rainbow table required to break it vastly (exponentially?) bigger. At some point, as computers continue to get faster and storage cheaper, this will not be enough, but at that point you can migrate your database to a different hashing algorithm and a longer salt. There are established techniques (annoying to do but well understood) for this migration process.

At this point it seems right to mention that it's not just salted hashes I'm a fan of, but the current fad of salted caramel is right up my alley (if you know what I mean) and Christmas is nearly upon us!


You may also be interested in the following programming related articles:




"It's not so much that I don't fit in a box, it's more that I really resent being pushed into a box that I'd probably fit into if I wanted."

Popular posts from this blog

The Jesus Army and the Independent Inquiry into Childhood Sexual Abuse

Image
 IICSA Inquiry - Child Protection in Religious Organisations and Settings  The Truth Project for Victims of Religious Abuse The exclusively male authority of the Jesus Army, delegated from the cruel and unusual senior pastor Noel Stanton, was full of darkness and deceit and nothing of God. It was a personality cult with Noel as an absolute ruler who delighted in crushing people.  Those in the cult who took on a sacred duty to care, and swore a covenant to it, have to answer for the shameful way they treated so many. The leaders who were in charge; it happened on their watch, they let it happen and made it happen. Oath breakers and traitors. To betray love is its own reward. There is a price to be paid in the heart. Deuteronomy 1:35  None of this evil generation will see the good land I promised your ancestors. The JA called itself the "Joshua generation", the J Generation. They didn't read the story right. Only two from that generation believed God and entered the promise
Read more

Commentary on Brexit and Thoughts on Patriotism

Image
I don't seem to meet many ordinary people. Most people seem extraordinary. As much as I am opposed to Brexit it seems curious to me the delight with which some people I follow on Facebook seem to take in news that the negotiations are apparently difficult and that it could be bad for Britain. They seem to relish the damage as they'd rather be right than see something good come out of it. It is a rather foolish state of mind to wish harm upon yourself and your fellows merely in order to be proven right. I detest much of the harm and lack of compassion I see in the Tory government, whilst accepting that those who vote conservative see the world in a very different way to me and that I am not wholly right and nor are they. I want the best for the UK and I want the best for Europe and I sincerely hope we can find our way forward together no matter who is in government in the UK. This is why party politics is so pernicious. It cons you into supporting a side instead of suppo
Read more

The Bible: The Good Parts

Image
I'll start by saying what most "bible believing" Christians dare not say: the bible is a highly problematic book. As a historical record of the (gradual) revelation of the nature of God to humanity it paints a pretty unflattering view of God at times - seen through the eyes of a fallen humanity.  For a look at some of the parts of the Bible that have been used to cause harm see: The Bible: The Bad Parts The bible was greatly redeemed in my eyes by reading " A Matter of Integrity "  by Steve Chalke. I recommend it to everyone. Seen as the ongoing revelation of God to humanity, a revealing that didn't just stop 2000 years ago by the way, the bible again became something sacred and beautiful to me. Despite being a "difficult" book, the nature of God and the way to the kingdom are hidden (or revealed - as you please) within the bible. Below are some of my favourite passages (there are many more that I could have picked) that reveal God and
Read more