Encryption, Hashing, Salting: What does it mean for your Users Password's safety?

danielasaboro

danielAsaboro

Posted on June 1, 2023

Encryption, Hashing, Salting: What does it mean for your Users Password's safety?

For all the criticism Twitter gets, no platform beats it as the best place to freely connect and learn from Practicing Professionals in your industry from all over the world.

You get to see things from different points of view, allowing you to triangulate information effectively and attain a comprehensive understanding of reality.

Last week, Dominus Kelvin shared this tweet asking how Back-End Engineers handle Passwords users entrust with them.

Dominus Tweet asking Backend Developers how they deal with Passwords

Since the answer is kind of obvious, you would think it's just another attempt at sustaining Twitter engagement. But if you go through the comment section, you will discovered that not a lot of backend engineers know understand what those terms means, the difference, and the implications.

That is what this article aims to resolve.

By the time you are done reading this piece, you should understand these three things with razor sharp clarity:

  1. The difference between Hashing and Encryption.
  2. The distinction in their purpose and use in the digital world.
  3. The importance and need for salting passwords before they are hashed...and many more.

Securing your Customers Password safely

Storing user passwords in plain text is an absolute no-go, as it would open the floodgates for malicious individuals to exploit private data.

That is obvious.

So the whole point of every method we'll be discussing in this post is to render the plain text passwords entrusted to you in a manner that makes the effort required to crack them astronomically futile.

Throughout the years, various approaches have surfaced to address this challenge, but two methods shine above the rest: Encryption and Hashing. Fasten your seatbelt as I guide you through a journey unraveling the intricacies of these techniques.

Encryption

In it's most basic form, encryption is the process of transforming Plain Text password into what we call a Cipher Text(Encrypted Data). It requires two things:

  1. An Encryption Key
  2. An Encryption Algorithm

Think of Encryption as sending a message in Greek. Only those who understand Greek can interprete it. English, Yoruba, Japanese speakers can see and read through it but they won't understand it.

Now imagine they have access to a Greek translator who can help them map the signs and symbols to their respective language for easy understanding, that's what an Encryption key does.

With the Right key, you can decrypt an encrypted text.

This is how WhatsApp ensures your conversations remain confidential, protecting them from eavesdroppers, hackers, or any unauthorized parties attempting to access your private messages.

Whatsapp Encryption Key

It's why you get the message below your first time chatting with a recipient and you both weren't online at the same time to share the encryption key.

Image description

Variants of Encryption

  • Symetric Encryption: Same key is used to encrypt and decrypt the data. AES, which is used in verifying financial transactions, VPNs, Communication app etc is an example.
  • Assymetric Encryption: Here, different keys are used to encrypt and decrypt the data. RSA is an example. Andrea Chiarelli, Principal Developer Advocate at Okta lets us know that the two keys are bound by a complex mathematical relationship. Read more here.

Hashing

This is the process of using mathematical algorithms to tranform piece of text into a fixed-size string of characters called a Hash Value/Code.

The interesting thing is, it's a one-way, irreversible process.

It's like throwing your data into a magical blender, Reginald Amuzu says. In fact, a simple change in the input will result in a completely different hash value as shown below:

DanielAsaboro: $2a$12$VbaJyqqclNRWehagaEKxJea01ZmgyZPXC0H9.8p773rdJbNKygD2W

DanielAsab0ro: $2a$12$ZPcwIoCnIH.C511wSIaKNutO.oy0V1s47q2YDsA5SZzQ6cD9o2JT2

All I did was change the 'o' after the 'b' into a "0"!

Since there are no keys, how do you confirm that the user password is what they've inputted? Well, you simply hash the password they gave and compare the hash values/codes. This ensures the initial passwords remains unknown.

Strongholds Stumble

Just around this time 11 years ago, a total of 6.5 million hashed password believed to belong to LinkedIn members was posted on a Russian hacker forum. They posted the data to get help in cracking it.

They were hashed, yet within a week, more than half was cracked and available in plaintext. How did the Hackers pull that off?

Using a precomputed hash table — Which brings us to an additional layer of security called Salting.

Salting: How does it work?

Salting is a technique used in password storage to strengthen the security of hashed passwords. It involves adding a random value (salt) to each password before hashing it.

The salt value is stored alongside the hashed password. And this process ensures that even if two passwords are identical, their hashes will be unique.

Salting prevents attackers from using precomputed tables (rainbow tables) to quickly crack passwords since** each password has a unique salt** (An additional layer of complexity that makes it more challenging for attackers to determine the original password).

Thankfully, packages like Bcrypt makes this process seamless.

My code for salting and encrpting passwords before they are saved to the db

All you need is:

  1. Generate a salt
  2. Then hash the password and the salt.

It's that simple.

But make no mistake.

The name "bcrypt" is derived from the terms "Blowfish" and "crypt," which refer to the cryptographic algorithms used in its design. Blowfish is a symmetric encryption algorithm developed by Bruce Schneier in 1993, known for its security and efficiency.

Bcrypt, however, does not directly use Blowfish for hashing passwords. Instead, it employs an adapted form of the Blowfish algorithm to generate the hash. The specific modifications and parameters used in bcrypt make it suitable for password hashing and storage.

The choice to incorporate Blowfish in the design of bcrypt was primarily due to Blowfish's reputation as a strong and reliable encryption algorithm at the time bcrypt was developed. The use of Blowfish inspired confidence in the security of bcrypt, and the name was chosen to reflect its association with the underlying cryptographic principles.

Hashing is not a form of Encryption

They are two distinct concepts in the field of cryptography.

As I've shown earlier, Encryption uses algorithms and keys to transform the original data in a reversible manner, allowing the data to be decrypted back to its original form by authorized parties who possess the correct decryption key.

On the other hand, hashing is a one-way process that takes input data and produces a fixed-size string of characters. They are designed to produce a unique hash value for each unique input, and are generally irreversible i.e computationally infeasible to retrieve the original data from the hash value alone.

While Encryption is intended to protect data confidentiality, Hashing is primarily used for data integrity verification and fingerprinting. They are not the same.

And hold on for a sec...Have you heard about Peppering?

Food for thought:

Food for thought

💖 💪 🙅 🚩
danielasaboro
danielAsaboro

Posted on June 1, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related