Hashing is mainly used for authentication purposes. Salting makes password hashing more secure. Salting is an extra action during hashing. If two clients have the same password, they will also have the same password hashes. A salt, which is a random series of characters, is an extra input to the password before hashing. This makes an alternate hash result for the two passwords. Salting makes it difficult to use lookup tables and rainbow tables to crack a hash. A lookup table is a data structure that processes several hash lookups for every second.
Implementation of Salting:
The following suggestions are used to implement salting:
- Size of the salt should match the size of the hash function’s output.
- Always hash on the server in a web application.
- The salt should be unique for every user’s password.
A Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) is the best option to produce salt. It is completely unpredictable and produces a random number. So it is highly secure.
To store a password:
- Use CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) to produce a salt.
- Add salt to the starting of the password.
- Hash it with SHA-256.
- Save the hash and the salt.
To validate a password:
- Recover salt and hash from the database.
- Add salt to the password and hash it.
- Compare the hash of a given password to the one stored in the database.
- The password is incorrect if the hashes do not match.
Key stretching can also be used to secure against attack. It prevents high-end hardware that can compute billions of hashes for every second less effective.
- Implementing callback in PHP
- Implementing Checksum Using Java
- ReactJS | Implementing State & Lifecycle
- Implementing Byte Stuffing using Java
- How to select text nodes using jQuery ?
- Why require_once() function is so bad to use in PHP ?
- HTML | DOM FocusEvent
- PHP | Imagick getImageAlphaChannel() Function
- PHP | image_type_to_extension() Function
- PHP | Imagick setImage() Function
- PHP | Imagick setCompressionQuality() Function
- HTML | DOM Input Date autocomplete Property
If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to email@example.com. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.