A Primer on Hashes – and why Salts are a Good Thing

Since every time I posted my previous article people were asking questions, I wrote up the following as a Facebook comment and figured it deserved repeat posting here. Note that there’s an article in our archives which is similar but not as specific as this one. Get ready for your cryptography lesson.

A hash is a one-way function. This means that given some input, it creates some seemingly random output. It is one-way in that you can’t do math on the output to get back to the input.

So, “abc” -> (hash function) -> A9993E364706816ABA3E25717850C26C9CD0D89D
and there’s no way to get “abc” back from that nasty string.

UNLESS you have taken the time to generate what’s called a rainbow table. Hackers (and presumably the NSA) run exhaustively through all possible strings and generate all the hashes for those strings. Once you have a rainbow table, all you have to do is look through your table and see if the hash is already in there. One of these is here: http://www.sha1-lookup.com/ (and note you can look up the fact that “abc” is easily cracked).

Generating Rainbow Tables is time consuming, though. If you can generate 100,000 hashes a second, it would take 69 years to generate the rainbow table containing all the possible 8 character alphanumeric passwords. (or 69 computers one year, etc.) It would take 171 billion years to create the complete set of 12 character passwords made from all printable characters. That’s not terribly practical.

So, a cryptographic salt is a sprinkling of additional information before hashing. So, LinkedIn would take your password of “abc” and add some random data to it, perhaps “fM3sTe4d“. So instead of hashing “abc” it hashes “fM3sTe4dabc” and gets 5646e9ce061dee933de87fc4d698403d287198ef

What the salt does is it makes rainbow tables ineffective. As mentioned earlier, it’s impractical to make rainbow tables for longer, random inputs. I have seen tables of all English words up to 12 characters, and I know someone’s working on a table of all 9 character printable inputs… but every increase by one character multiplies the work of the rainbow table creators by 60-95 times.

Salting is good, and cryptographers and cryptographic developers have known this for years. Unfortunately, lots of non-cryptographic developers try to develop cryptography, and things fall apart.

Bottom line for everyone: the longer and more random your password, the less likely it is for anyone to ever be able to crack your password. And using unique (by which I mean different, not necessarily entirely unique) passwords can help protect you from the breach of one of your passwords. (See this XKCD.)