Hashing is mainly used for authentication purposes. Salting makes password hashing more secure. Salting is an extra action during hashing. If two clients have the same password, they will also have the same password hashes. A salt, which is a random series of characters, is an extra input to the password before hashing. This makes an alternate hash result for the two passwords. Salting makes it difficult to use lookup tables and rainbow tables to crack a hash. A lookup table is a data structure that processes several hash lookups for every second.
Implementation of Salting:
The following suggestions are used to implement salting:
- Size of the salt should match the size of the hash function’s output.
- Always hash on the server in a web application.
- The salt should be unique for every user’s password.
A Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) is the best option to produce salt. It is completely unpredictable and produces a random number. So it is highly secure.
To store a password:
- Use CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) to produce a salt.
- Add salt to the starting of the password.
- Hash it with SHA-256.
- Save the hash and the salt.
To validate a password:
- Recover salt and hash from the database.
- Add salt to the password and hash it.
- Compare the hash of a given password to the one stored in the database.
- The password is incorrect if the hashes do not match.
Key stretching can also be used to secure against attack. It prevents high-end hardware that can compute billions of hashes for every second less effective.