Reputation: 57
how salt is used in authentication process?
Does anyone know how salt is used in the authentication process? although i have searched through the internet but still don't really understand. can anyone help? thank you very much!
Upvotes: 2
Views: 659
Answers (1)
Reputation: 11989
A common usage is a salted hash. Besides sounding delicious, it works like this...
One way to encrypt a value is to create a two-way encryption mechanism that uses a secret key to encrypt and decrypt password. This can be problematic because if someone gets the secret key, they can decrypt anything. For example, if someone gets access to your database and can decrypt one user's password, they can then decrypt every user's password. Plus just the fact that it is possible to decrypt the values at all can be a security risk.
Another option is to create a hash. This is one-way sort-of encryption, which always provides the same result. This can be beneficial because it can remove the need to decrypt values, because to check a user's password you just hash it and see if it matches the hashed value in the database. However, the two downfalls to this are that because the hash algorithm itself is usually not secure, then anyone with the same password will have the same encrypted value. Because of this, if you can get one person's password, you can easily figure out who else has the same password. Also, it is susceptible to running a whole dictionary through the hash algorithm to see who has a weak password.
So the way to improve on the hash is to add in a salt value. Before you hash the user's password, just add their user name (or user ID or something else that is constant for the user but unique to them) to it before you run it through the hash algorithm. This way everyone will get a different encrypted value, and yet everyone's hash value will still be repeatable for their own account. Also, it reduces the risk of dictionary attacks, because you know the value that when into the hash did not come from a dictionary. Someone would have to include each user's user name or user ID or whatever in the brute force attack, so even if one person got compromised, the hacker would have to start from scratch for every other user, even those with the same password.
Upvotes: 5
Related Questions
- Salt in cryptography
- How does Secure User authentication work?
- Salt, passwords and security
- Password hashing and salting
- Can you help me to understand salt hashing function?
- Passwords, salts and auths
- Salted password hashes
- How does Unix SALT help protect passwords?
- php salt authentication
- What is the purpose of salt?