Password Salting may be Effective, but is it Healthy?

Much of IT security revolves around the question of how much you believe users can think for themselves. Password salting is a solution likely to appeal to those who think users are unreliable, careless or otherwise unable to behave correctly when it comes to the proper use of passwords. Yet the brain is a muscle and needs regular exercise, including password push-ups and security question squats. Which way should you go? To help answer that question, first try our super-fast primer on what password salting actually is; or if you prefer, how to explain its importance to your CEO.

Applications at work, social media accounts, professional and personal banking accounts, all these typically require passwords or codes to gain access. To keep passwords safe within an IT system, a technique called “hashing” is frequently used. It converts a password like “secret” (a very bad password example!) into a long string of otherwise meaningless numbers and letters. When a user logs on, the system “hashes” the password entered, compares it with the hash that was previously stored, and lets the user in if the two hashes are the same.

Hackers, however, also know about hashing. They also know where to find the source code for frequently used hashing programs. They can run their own hashing and comparisons to find and steal passwords. So the next level of IT security is password salting. To salt a password, a random string of characters is added to a password before it is hashed. This increases the difficulty of hacking the password or its hashed version. It also avoids storing duplicate hashes for users who happened to choose the same password (yep, like “secret” – Ouch!).

However, while password salting improves security at this level, it does nothing to stop users from using “secret”, their dog’s name, their date of birth or the same password from another account or application, all of which are vulnerable to the hackers’ other big technique, social engineering. The solution, as you probably guessed, is to use both forms of security through both improved technology and user behaviour. Everybody needs some salt in their diet, but not to the exclusion of everything else.