Secure Password Hashing with Salt and Pepper

Ever wonder what happens to your password after you type it in? It doesn’t just sit in a database waiting to be hacked—there’s a lot more going on under the hood. Storing passwords isn’t just about keeping a secret—it’s about using the right techniques to make sure that even if a hacker gets in, they can’t read your passwords. Let’s break down how to do it right.

Introduction

When you type your password, it is processed by a special algorithm known as a hash function. This transforms your text data into a fixed-length string of characters, commonly known as the hash value or digest. This converted hash value in then stored in database. So, when you revisit a website, the typed text goes through same function and gets converted to same hash value. This way if someone got access to database, the attacker cannot see your original password.

Hashing Functions

Let’s take a look some popular hash function:

• MD5: An outdated 128-bit hash function known for its vulnerabilities and insecurity.
• SHA-1: A 160-bit hash function now deprecated due to collision vulnerabilities.
• SHA-256: A secure 256-bit hash function commonly used for encryption and data integrity.
• SHA-512: A stronger, secure 512-bit version of SHA-256, used for high-security needs.
• bcrypt: A password hashing algorithm designed to be slow and include salts, ideal for secure password storage.
• scrypt: A memory- and CPU-intensive hashing algorithm, excellent for protecting against brute-force attacks.
• Argon2: A modern and highly secure password hashing algorithm, flexible in memory and time cost.
• SHA-3: A future-proof, highly secure hash function offering enhanced security over previous SHA versions.

Two users, one password—shouldn’t their data be vulnerable? Fortunately, modern systems are smarter than you think. What if hacker makes his database (Rainbow tables) using all known passwords hash values. The cracking password task will be easier for him. Salting is needed to enhance the security of hashed passwords by introducing randomness, preventing several common attacks.

Salt: A random value added to the input data (like a password) before hashing.

The random Salt value is commonly stored besides the hash value in database.

Why Hardcoding Salt is Risky?

1. Predictability: If the salt is hardcoded (meaning it’s the same for every user), it loses its purpose. Hackers can easily figure out the salt and apply it to crack multiple hashed values.
2. Vulnerability: If someone gains access to the application’s source code, they can see the salt, making the hash values easier to crack.

Best Practice for Salt:

• Unique Per User: A salt should be randomly generated for each user or each hashed item. This way, even if two users have the same password, their hash values will be different due to their unique salts.
• Store Salt Separately: The generated salt is often stored alongside the hash in the database (but never hardcoded in the application). When the user logs in, the system retrieves the salt, combines it with the user’s input, and rehashes to check if it matches the stored hash value.

Pepper: Unlike salt, which is stored and unique for each user, pepper is a secret value (usually a string) that’s added to every password before hashing. The pepper should not be stored in the code or database. It could be stored in a separate, highly protected environment (like a hardware security module).

So, in practice:

• Salt = Unique and random per user, stored in the database.
• Pepper = A secret string known only to the application, stored securely (not in the code).

Should Both Be Used?

Yes, using both salt and pepper together improves security. Salt prevents attackers from precomputing hash values (using rainbow tables). Pepper provides additional protection, even if the database with salts and hashes is compromised, because the pepper is stored elsewhere securely.

In summary, Salt makes it harder to crack hashes, even if passwords are the same. Pepper adds an extra layer of protection by being a secret that attackers cannot easily access.

Hashing technique is also used in following sectors:

• Data Integrity Verification: Hashing is used to verify the integrity of data, such as downloaded files or software. The hash of the original file is compared with the hash of the downloaded version to ensure no corruption or tampering.
• Digital Signatures: In digital signatures, a document is hashed, and the hash is encrypted with the sender’s private key to create a signature. The recipient can hash the document and compare it with the decrypted signature to verify authenticity. This ensures that the document has not been altered and verifies the identity of the sender.
• Cryptographic Applications: Hash functions are used in various cryptographic algorithms (e.g., blockchain, SSL/TLS). In blockchain, hashes secure transactions by linking blocks in a chain, ensuring that altering one block would change the entire chain.
• Checksums: Hashes are used to generate checksums for quick data verification. When data is transmitted or stored, the system creates a hash to ensure the data hasn’t been altered or corrupted.
• Efficient Data Lookup: Hashing is used in data structures like hash tables, which enable fast lookups, insertions, and deletions by mapping keys to specific locations.

Let’s create a hash value from a string using the SHA-3 hash function.