How does salt improve password security?

Passwords are stored in a hashed form within the database. Each user login requires a comparison of these stored passwords with user-entered passwords to perform authentication. The two steps of the process are depicted in the following slides:

While the above process has its benefits, it can result in inadequate password security if an unauthorized individual gets access to the database. Hackers can crack passwords primarily through the use of rainbow tables. To improve password security, a technique called salting is used in password storage.

What is a password salt?

Salts are strings of random bits added to passwords before they are hashed and stored in the database. Using a random and unique value of salt adds an extra layer of security to password storage. Take the example of the following two users who have the same passwords stored in the database:

We can see that adding a unique salt for each password can result in a completely different hash for the same passwords of two different users. Therefore, even if two users have the same passwords and a hacker gets access to the password database, it's not possible for them to identify two similar passwords.

Note: In general, salts are 32 or 64 byte random strings. While longer salt values increases the computational complexity for attackers, the performance of the security system can get affected.

Benefits of salt

Other than creating different hashes of the same passwords, salt increases the complexity and, consequently, the reverse-engineering of passwords. Salting also makes rainbow tables incapable of cracking passwords. Furthermore, it reduces the efficiency of dictionary and brute-force attacks against password cracking.

Interesting aspects of salt

Here are some interesting aspects of the usage of salt:

• They can be stored in plaintext within the same database. It is because the purpose of the salt is to add randomness by making each password unique, even if the original passwords are the same. But, salts have no cryptographic advantage. While it is okay to store salts in plaintext, it may not be a good idea to make them public information.

• Each salt value should be unique, i.e., for each password, a different salt value should be generated even if the user is the same. If a user changes a password, the salt should also change. In some cases, a system-wide salt is used, which renders salt almost useless.

• Although we mentioned that salts can be stored in plaintext, it is a good idea to store salts in a different database separate from the passwords database. This will increase the difficulty level of password cracking for attackers.

Salting passwords is a complex task and requires careful planning and implementation. Because people can sometimes compromise the security systems, tasks like salting are often completed through machines using algorithms like bcrypt or security frameworks like Spring Security.