Skip to main content

What is salting in cryptography? | Why do we need salting when saving passwords in the database? (Simple Explanation)


Salting is the concept of adding random data in the plaintext data (Example: Password) and then creating the hash of that combination this is called salting. By doing this, even if you are using the same plain text, it is possible to get different hashes. 


Why do we need salting when saving passwords in the database?

Hash is not unique to themselves due to the nature of the hash function, when given the same input in the hash function, the same output is always produced.
We need salting because the same hash function produces the same output for the same input. 
Let's take an example:
An attacker is able to exploit the SQL injection vulnerability in a website and dump all the credentials from the database. The usernames are mostly unique if the application is using a username and password for authentication, but it's possible that the password is the same for many users. This means that the hash stored in the database is also the same for the same password if they are not using salting. 
Now, if the attacker is able to find a clear-text password for a single user, the attacker will get the password for the ten users because of the same hash.
Now you know why we need salting, we need salting so that it makes it difficult for an attacker to get all clear-text passwords.

Many of you are thinking that how we are able to get the clear-text password from the hash if the hash is an irreversible process.

We can get the clear-text password by Brute-forcing or dictionary attack. After dumbing the password an attacker has the hash of the passwords. An attacker can use the brute-force or dictionary in the same hash function that is used in the website and then compares both the hashes. If the hashes match, then an attacker has a clear-text password.

Both dictionary attacks and brute-force attacks require the real-time computation of the hash. Since a good password hash function is slow, this would take a lot of time. To solve this problem, the attacker may use a rainbow table.

What is Rainbow Table?

A Rainbow table is a pre-computed database of hashes. Now the attacker can simply do a password reverse lookup by using the hashes from the dump hash password database. Rainbow table attacks are fast because the attacker doesn't have to spend any time computing any hashes.

Mitigation for Brute-Force and Dictionary attack on Hash password is:
To mitigate this issue we can use do the salting of the passwords. Salt should be stored securely otherwise if the attacker gets the salt and hash, then an attacker can use both for brute-force or dictionary attacks. 

Hash Online Tools:

Labels:

Comments

Post a Comment

Popular posts from this blog

Free Cybersecurity Certifications

Introduction to Cybersecurity Cybersecurity Essentials Networking Essentials Android Bug Bounty Hunting: Hunt Like a Rat Ethical Hacking Essentials (EHE) Digital Forensics Essentials (DFE) Network Defense Essentials (NDE) Introduction to Dark Web, Anonymity, and Cryptocurrency AWS Skill Builder Introduction to Cybersecurity Building a Cybersecurity Toolkit Cyber Aces Free Cyber Security Training Course Introduction to Information Security Penetration Testing - Discovering Vulnerabilities
Post a Comment
Read more

Web Application Security Testing (WAPT) Interview Questions

Let's Contribute All Together For Creating a Questions Dump What are the vulnerabilities you have to test in the Login form, Payment gateway? What is clickjacking? What is the mitigation of clickjacking? What is CSRF? How to mitigate CSRF? Let's take an example, If a developer implements a CSRF token in a cookie, will it mitigate the CSRF issue? Is it possible to mitigate the CSRF by header? If yes why, if No why? If the data is in JSON format, how you will check the CSRF issue and what are the ways of exploitation? Where to implement the CSRF token and why? If the client doesn't want to change the UI or doesn't want to implement the CSRF tokens, and headers then what mitigation you recommended to the client for CSRF? What is the problem with the per-request token? Is login CSRF possible? Explain login CSRF? Have you ever exploited it? What is the mitigation for login CSRF? Suppose, in an application csrf token is implemented in each request and every request, except th
Post a Comment
Read more

Is your webcam exposed on the internet and everyone enjoying your personal moments? | How to check webcam or security camera is exposed on the internet or not?

Nowadays we start using many technology devices in our homes. Many people are installing CCTV or security cameras in their houses, private rooms, offices, private places, etc for security purposes and monitoring, but many of them don't know how to configure that device securely. So let's talk about CCTV and security cameras only.  What do most CCTV/Security camera users believe? Most users believe that using a strong username and password on a camera administrative page protects them. (Partially true in the case of online cameras) Example: Why it is partially true? It's partially true because you are protecting only the camera administrative page which is also an important part. Still, you are not protecting the protocol used to control streaming media servers (Real-Time Streaming Protocol ( RTSP )). I have seen many online webcams whose administrative page is secured by strong credentials, but they forget to secure the RTSP protocol which gives me access to the streaming
Post a Comment
Read more