Evan Boehs website Mastodon PGP Key email A drawing of an astronaut in space United States is hoping it will be good without pepper

Salting

in
garden

Attempts to explain the need for salting passwords to an inexperienced cryptographer have been in my experience, futile. This is especially so when instead of providing a real world example, first an elaborate technical description is said, as is common online. I thought I would change this. This is how I explain salting to coworkers:

Life before salt

Let’s say we have 5 users

rowUsernamePassword (Not stored!)Hash
1boborange1b4c9133da73a711322404314402765ab0d23fd362a167d6f0c65bb215113d94
2lisadungeon2a79be6a5deb17eb3973b3e1872623682287731df936d313f7c8b0e4a336e958
3alexflubber29f006c8fea00ee58303e1d660279900967e7c86c31ae51f8f7c148f32f7f8f1
4joepineappleb0fef621727ff82a7d334d9f1f047dc662ed0e27e05aa8fd1aefd19b0fff312c
5sarahbananab493d48364afe44d11c0165cf470a4164d1e2609911ef998be868d46ade3de4e

Our attacker has already generated a hash table, this is her table

rowPasswordHash
1lemonf464d7d71c06e47a535ce441aa202aa717cddeab902a45b0c283aac7a9a090d7
2orange1b4c9133da73a711322404314402765ab0d23fd362a167d6f0c65bb215113d94
3bananab493d48364afe44d11c0165cf470a4164d1e2609911ef998be868d46ade3de4e
4strawberry5e737f891db1175442a39fde73e51d781a545506d71c95477a6deb5988bd7f9a
5pineappleb0fef621727ff82a7d334d9f1f047dc662ed0e27e05aa8fd1aefd19b0fff312c

She gains access to our database. Let’s assume the following:

  • Comparing two strings takes 0.1 seconds
  • Generating a hash takes 0.5 seconds

Given this, she launches an attack.

attack- userDB row 1 matches hashDB row 2 (0.2 seconds) - userDB 2 matches hashDB none (0.5 seconds) - u3 = hnone (0.5 seconds) - u4 = h5 (0.5 seconds) - u5 = h3 (0.3 seconds)

In her attack, for each user, she tries each hash until one matches. As soon as a hash works, she moves onto the next user. This means that for passwords she does not have hashes of already she spends 0.5 seconds because her hash table has 5 entries and she needs to make sure the hash is not in that table. Sometimes, she finds a mashing hash fast, say in 0.2 seconds.

All in all, her attack took 2 seconds, and she walked away with 3 accounts.

Life after salt

Let’s modify our database to salt our passwords

/node/salting.html