In my previous post I talked about issues regarding user responsibility for creating and remembering passwords. This time I wanted to shed a little light on what happens to your password behind the scenes to make it extra secure.
Salting is the practice of adding extra characters onto your password. Everybody does it slightly different but the basic idea is to increase the length and complexity of a password before it is hashed (more about that later). Let’s say you have your favorite password, IL0v3MyC@t (I love my cat). By itself that is a pretty secure password but we can make it even more secure by adding some salt to it. This means we generate some extra random characters and add them to the beginning or end of your password. So if our Salt is “NaCl” then we will attach it to your password like so: IL0v3MyC@tNaCl. We have now just added four more characters to your password and exponentially increased the difficulty of cracking your password. Unfortunately the salting method really only protects your password if it is hashed so let’s talk about that next.
Hashing is basically a method of running your password through some algorithms to create a string of characters. The reason this is important is because once your password has been hashed it is no longer human readable. For instance if we run the previously mentioned password, IL0v3MyC@t, through a common hashing algorithm we get: f405763ddea08b3d1ef57d3410fd5ec5c1c10fa2. Now if someone gains access to the database where your password is stored they cannot simply read out your password. There is one problem with hashing though…your password will always hash in the same way. This is absolutely necessary or else we could not use our hashed passwords but it also means someone can run a computer program against your hashed password in an attempt to crack it. This is mostly a brute force method of guessing every combination of characters until they find a matching hash. This is why we salt! When we salt a password we are increasing the length and complexity of your password which exponentially increases the number of possible combinations a computer will have to attempt to find your password.
There is of course much more going on behind the scenes but hopefully you understand a little bit more about how developers protect your password.
For a more detailed explanation of the salting and hashing process check out this article: https://crackstation.net/hashing-security.htm