In this age of rampant and expensive ransomware attacks, many organizations find it necessary to revisit security procedures. The venerable username and password login doesn’t lend itself to good security (especially when 72% of workers admit to using the same password across four or more accounts), and while multi-factor authentication helps quite a bit, it’s still far from perfect.
That’s why companies are increasingly turning to hashing and salting, which might sound like things you do to your breakfast but are actually powerful tools in the fight against cyber criminals. Hashing and salting are done at the organizational level, not by individual users. Let’s take a look at how they work.
Passwords may of course be encrypted, meaning scrambling a password using a mathematical formula. Encryption is reversible; a password can be returned to plaintext with a decryption key. Password-management apps use encryption for enhanced security, decrypting passwords back to the plaintext required by browsers.
Hashing is similar in that it uses an algorithm to obscure the password, but it’s a one-way function. A hashed version of the password lives on a server, and when a user enters a password it’s run through the hashing algorithm and compared to the stored version. If they match, the user is granted the requested access. There are several common hashing algorithms with varying levels of encryption.
However, a hacker with access to the server file containing the hashed passwords might be able to reverse-engineer them, using what’s called a rainbow table to compare results to other reversed hashes and gain access to passwords. How to prevent that? Salting.
Salting adds random characters before and/or after those hashed passwords, which renders those rainbow tables useless. Passwords that are both hashed and salted are much more difficult to decipher. A hacker is likely to move on to a softer target, just as a burglar might avoid a home with external cameras and a security system.
Of course, all this can complicate things from the user end as well. A password manager can help users with navigating long and complex passwords.
There’s no perfect system in password management, but the combination of hashing, salting and MFA makes a hacker’s job much more difficult.
Questions about this or other cybersecurity issues? Contact Hill Tech Solutions.