Throw some salt and pepper on that hash!

Move over Drake, this October we’re celebrating Cybersecurity. In the spirit of cybersecurity awareness month, let’s get real nerdy about how passwords are protected, what happens in a data breach involving passwords, what companies are doing to protect your passwords, and what you need to do in order to protect yourself.

When the digital age was still at its infancy, programmers and engineers were solely focused on identifying the potential of this new computing power and developing new use cases for how computers could be used. Early databases, applications, TCP/IP, and WiFi were all proof of concepts and focus was targeted towards increasing the capability and viability of the tools; security was an afterthought. Passwords were stored in plaintext, there were weak authentication methods used, and in some instances, you only needed a username to login. Overtime, as criminals began leveraging the new technologies to wreak havoc, the industry pivoted and more importance was given to securing the platforms that they had developed. Authentication methods became more secure, passwords were protected; security was becoming a forethought.

Plaintext password storing should by now have been sunsetted and the industry should have evolved to hash passwords before they are stored. However, plaintext password breaches are still occurring. In January 2021, a new breach was identified for Daily Quiz in which 8.3 million plaintext passwords were exposed and sold. But it’s not just random one-off companies that are victim to this poor practice, Robinhood, Google, and Instagram all admitted to storing plaintext passwords as late as 2019.

There are multiple issues with storing plaintext passwords, the biggest of which is that 65% of people reuse their passwords across all sites. This makes them vulnerable to a password reuse attack whereby a criminal buys your username and password for about $20, and proceeds to use it on other websites and potentially your email, to lock you out of your source for password resets. You can check if you’ve been a victim of a plaintext password via sites like Have I been Pwned or Mozilla’s Firefox Monitor. If you find that your password was breached and you think you’ve reused it elsewhere, I strongly recommend you change them as soon as possible.

Hashing a password should be the bare minimum of modern password storage techniques for companies. As you create an account on a new site, you enter your password and hit create, the algorithm will hash the password you entered and store the output in the database. It is no longer plain text, and anyone that obtains access to it, will never see your password, but rather the output of the hash. When you attempt to log back into that site and enter your password, the algorithm performs the same hash function and checks to see if the output of what you entered as your password matches the hash output of what is stored in the database for your account.

That was the industry standard for a decade or so, but criminals quickly caught up and began developing rainbow tables; some of which are publicly available. These tables are essentially databases of all potential passwords from 1-10 characters (or potentially more), and the corresponding hash of that password. After criminals obtain a database of hashed passwords, they can, in essence, perform intensive vlookups to identify each person’s password.

Source: DropItLikeItHox’s Excel Workbook

With the rise of rainbow tables, the cybersecurity industry again pivoted, and began introducing salt to the world. Similar to the nonce we learned about in class for blockchain, salt is a set of characters that are added to the end of the password before it is hashed. The salt is stored in the same database, next to the username and hashed password. When a user enters their password for an account creation, the algorithm creates a unique random 14 character salt for each account, appends it to the end of the password the user created, and runs it through the hashing algorithm. The output of the password + salt is stored in the database, along with the salt itself. The next time the user logs in, the system takes their entered password, appends the salt, runs it through the hashing algorithm, and tries to match the output hash to the one stored in the database, if it matches, they’re allowed entry. This negates the feasibility of rainbow tables, because the password is essentially 10 (password) +14 (salt) = 24 character password which there are no known rainbow tables for.

Source: DropItLikeItHox’s Excel Workbook

Finally, as an extra step, and the current gold standard of password storage techniques involves adding some pepper to that hash. Pepper is similar to salt in that its extra characters that are appended to the password before it is hashed. It differs from salt in that it is stored on a separate database and is the same for all accounts. The idea is that pepper is meant to be safe guarded and never exposed in the event of a password breach. Without that pepper, there is no feasible way that a rainbow table could ever be created for that database to backtrack and identify passwords.

Source: https://sudo.pagerduty.com/for_engineers/ — Image #64

Now that I’ve properly confused you on all things password related, let’s try and decipher what the takeaways from this are; I apologize if appear trite, but I think they are still valid and important. First and foremost, the easiest way to protect yourself from a breach of a hashed password database is to make sure your password is at least 14 characters long; this negates the use of most rainbow tables, since they have only been generated for 1-10 characters, and would protect you in case there are criminals with larger publicly unknown rainbow tables.

Secondly, do your best to not reuse passwords. As we learned, your username/email and password combo can be sold for around $20, and from there, criminals attempt to reuse those same credentials on other sites. This is definitely easier said than done, but at a minimum, prioritize a unique password for your email address. Your primary email is your lifeline to the rest of your digital profile, a one stop shop for password resets and the ability to re-claim any other account.

Third, enable multi factor authentication on any website that allows you to. If a criminal obtains your password and attempts to login, they wouldn’t get anywhere as they would also need access to your phone, cell phone number, or email address (that you’ve hopefully used a unique password for).

Fourth, instead of using one of the top 200 passwords, a family member’s name, your pet’s name, street or city, try utilizing an easy to remember and longer passphrase. As we learned from point one, the longer a password, the harder it would be for a criminal to crack via rainbow tables or try to guess it using brute force attacks due to the fact that each extra character results in an exponentially more difficult guess. As a result, ‘Ilovereadinginthepark’ is a better password than ‘B0$t0n617’ due to the length; you can test it yourself here.

Finally, for the tip that recently is making its way around everywhere, utilize a password manager; my personal favorite is Bitwarden. It sits on your desktop browser and your phone, syncs across all devices simultaneously, generates unique passwords, and track unique passwords across all sites so in the case of a breach, you only need to change that one password with no fear of password reuse attack. I understand the fear of placing all your passwords in one database, ‘wouldn’t that just make the password manager a target for all criminals?’ It would, but the encryption around the password management process is the most robust of any technological company. Passwords are salted and hashed 100,001 times, locally on your side. That outgoing hash is sent to Bitwarden for authentication, then salt/pepper is added and hashed another 100,000 times before the match is attempted. The security behind the platform is so over-the-top, it would make more sense for the attackers to just attempt to guess your password, instead of trying rainbow tables, which are rendered useless. You would just need to set up a secure master password (16-20 characters or more), and something as simple as ‘noonewilleverguessthispassword’ is easy to type, remember, and impossible to bruteforce (it would take 2 septillion years to crack).

Password Management is a big problem for companies; 81% of hacking related breaches are due to compromised passwords as 73% of people reuse their personal passwords in their work setting. To reduce the amount of passwords, companies are leveraging Lightweight Directory Access Protocol (LDAP) and Single Sign On (SSO) to alleviate the burden of remembering multiple passwords at work. Instead, employees utilize one password to login and seamlessly authenticate to all other applications they use on a daily basis.

It’s no secret that passwords aren’t exciting, the sad reality is, the most cumbersome IT hygiene activities are also the most important (backing up your systems and data, maintaining good password practices, updating systems with latest security patches, etc.). We’ll never be perfect in our pursuit of security, but with a small amount of effort, we can make leaps and bounds of progress.

Various sources as hyperlinked in the article, including:
https://www.enzoic.com/8-stats-on-password-reuse/
https://en.wikipedia.org/wiki/Rainbow_table
https://en.wikipedia.org/wiki/Pepper_(cryptography)
https://en.wikipedia.org/wiki/Salt_(cryptography)
https://www.pelock.com/products/hash-calculator

12 comments

  1. So many helpful hints, and a sobering realization about username/password combos being sold for only $20. I will definitely be checking out bitwarden! Curious how you see emerging concepts like SASE impacting overall security for enterprises (and ultimately employees/customers/end users’ accounts)?

  2. A lot of great reminders about the importance of password protection. I especially thought it was helpful to learn about the evolution of cyber security to prevent sophisticated hackers from getting access to data or private information. To your point, its been interesting to see companies like Apple and Microsoft prioritize consumer protection by automating password generation to prevent users from using the same password across different platforms.

  3. Wow, this article was excellent! My partner constantly bugs me for using weak passwords, and I totally understand why now. Also, thank you for explaining this in a digestible and straightforward way and providing simple solutions to keep our passwords protected.

  4. This was a tasty post. I use Avast for my password management, but I will definitely be checking out Bitwarden. I had no idea that rainbow tables existed which bring me to my question for you. Do you know of any similar tools used to crack biometric peripherals or systems that use biometric authentication methods?

  5. This is truly so helpful and I wanna share this with my students and my mom at the same time, both of whom have had people get into their accounts and wreak havoc. Feel like making a canva graphic? But seriously, someone also recommended using the reverse of the words you were planning to use in a long phrase as well. Likely not necessary if you use a password manager, but feels appropriate to pass along.

  6. Yeah, I went with a password manager about 5 years ago, and I’ve never looked back. Made my life so much easier.

  7. Many thanks for this awesome deep-dive into password security! Two years ago, I was working for a start-up in Berlin. I remember pretty clearly that one day, the whole company was exposed to a cybersecurity attack as one of my colleagues logged into a (fraud) Google sign-up page sent via a spam email.
    As this was an early-stage company with limited resources, everyone was scared about the consequences this attack might have. Luckily, the company did not face significant problems, but our CEOs immediately implemented a password manager called LastPass. Additionally, the Sales department increased their security efforts by constantly comparing website domains with the respective email addresses.
    I am wondering if they found a way to automate or digitize this process.

  8. I am definitely one of those people that reuses passwords for a multitude of accounts across the internet. I knew it was bad, but never wanted to go through the time to go back and change each one. So at the very least, I’ll make sure to change my primary email password to be something completely different from the rest of my logins. Also implement 2FA whenever possible. Then I’ll make sure to check out Bitwarden to help minimize the risk of my own laziness.

  9. Incredible blog and so much good advice so thank you for that! I actually have a note on my to-do list to update my passwords on a google doc that I use and after reading this, I think it’s time to switch to Bitwarden. Before COVID I had about a half dozen different fobs for logins to different financial institutions’ websites which was tough to manage with a hybrid work schedule. Since then, every single one of those fobs has gone away and been replaced with some sort of app-based verification. With so many people shifting to mobile payments, I think this could be one of the safest ways to authenticate a user going forward as it also cuts down the need for a complex password bank.

    The password length angle is also a really interesting point as it shows how users overthink what true complexity is. People like myself may avoid using phrases as passwords because we think for some reason they would be easier to guess but the reality is the length shrinks the likelihood of a rainbow table being effective.

  10. Great Post. In one of my previous courses I learned that 123456 is still the most popular password, which is crazy. Honestly, I have been loving the facial recognition to get into my banking apps or other apps on my phone. I hope we get to a point where we are not setting passwords but rather using AI for recognition purposes; seems a lot more secure. Love all the tips in the post!

  11. Great post and really has some eye opening facts here and is certaininly going to make me look at a password manager. I’ve contemplated getting one in the past but never pulled the trigger. You might have just convinced me with this blog post :)

  12. I appreciate being part of the example!! Super cool; especially on a great blog. I was extremely guarded by the idea of using as password manager. My husband literally had to force me to use one by not sharing passwords with me. Mean, but I’m thankful for the aggressive push because I can’t imagine life without one. Every password is generated for me and saved…removing stressful situations all together.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: