What is password salting and why should you care?
The cybersecurity landscape is promising – technologies improve, users raise higher demands for their data security, transparency is among the most valued features.
That is why becoming literate in technical terms becomes critical to every user.
Let’s discuss one of the crucial elements in password security – password salting.
Nobody (hopefully) stores your passwords in plaintext.
When you type your password into a reliable platform that has higher than low password security standards, they never store it the way you typed it in. That is, they never keep it in plaintext. At least they shouldn’t.
Respectable service providers use the password salting technique to strengthen the security of your data.
What is password salting ?
Password salting is a technique of adding a random sequence of data (approximately 32 characters) to each password and then hashing it. Password hashing means turning your password into a string of random numbers by using a mathematical algorithm.
For instance, when salting, a password R&A*nD0m is written like R&A*nD0m 3s2#$%^&. That is, a suffix, let’s say “3s2#$%^&” is added to your actual password before hashing it.
This protects the password from being reverse-engineered by hackers.
- If a platform stored your password in plaintext, then during a data breach, the hacker could easily access it, steal it, and use it against you.
- If a platform only hashed your password, hackers could still reveal the password by figuring out the encryption key (or hash) used. One of the ways this is achieved is with a rainbow table attack that cracks the hashes.
- If the platform salted and only then hashed the password, they then ensured your password is extra difficult to expose.
Hashing plaintext passwords is not enough. Without adding a “salt”, passwords are still vulnerable.
Data leaks due to unsalted passwords
When a company underestimates the importance of password salting, data breaches happen.
- LinkedIn leaked 8 million passwords in 2012. The main reason – passwords were hashed but not salted. When hackers managed to crack the hash used by LinkedIn, all of the stolen passwords were revealed.
- In 2013, Adobe leaked 130 million passwords. Passwords were encrypted but lacked hashing and salting – it was easy for hackers to crack them via brute-force and rainbow table attacks.
- A few years passed, and in 2016 LinkedIn again experienced a data leak. 117 million accounts were hashed but, again, were not salted. This made them easy to reveal.
Who is in charge of password salting ?
It is the service provider, not the user, who is securing the data and salting it.
Yet, you, as a user, should know what password salting is and demand this from the platforms. You should also ensure that you use only the strong passwords, have two-factor authentication turned on, and never reuse passwords on a multiple platforms.
Before entrusting your sensitive data to a website, do your research and check if the service providers use additional safety measures.
Be extra cautious about password managers since you reveal your most sensitive data to them. For instance, PassCamp always transparently declares all the technologies that they use to protect your data, password salting included.
If any other password manager or a platform that manages sensitive data is vague and avoids naming actual technologies, keep it as the first red flag. It’s your data that matters.
Do your research. Choose wisely. Stay safe!