My first encounter with the concept of "salting a hash" was when I implemented the most excellent Passport authentication library for an Express project. I needed to get up and running fast with my project (a directory of the people in my Hack Reactor cohort) and given that the data included some personal facts about people, an essential requirement for the launch was sealing off access from the outside world.

Although I was successful in implementing Passport (hint: it's purty darn easy), I kinda glossed over some of the implementation details, notably this line:

bcrypt.hashSync(password, bcrypt.genSaltSync(8), null);

What in the heck is a 'salt'?, I wondered (and for that matter, what is hashing anyways?). It turns out that a salt is exactly what's protecting you from the teeming masses of would be theives of your data.

I'll take the potatoes

Firstly, there's some clarification needed on what a 'hash' is, at least in regards to password protection. At its essence, a hash is simply an method that takes a string as input and produces a more complex output, encoded in a specific way.

hash(input) >> FJSHARF$%^&TGIUND

This seemingly random string is computed in such a way that if you put in the same string, you'll get the same output. While this is at first glance obvious, it's essential to making a password storage system.

When you store a password, you hash it as above before storing for later use.
Later, when the user logs back in, the password they enter into the login form is then run through the same hashing function, and the two results are compared.

A = hash(input) >> FJSHARF$%^&TGIUND
B = hash(formPassword) >> FJSHARF$%^&TGIUND
A === B >> true

This is pretty nice for passwords as these hashes are not reversible, so you can't take in FJSHARF$%^&TGIUND in the example above and create the input.

Seems pretty secure, right?

Taste the rainbow

You'd think so, but it turns out there's something called a Rainbow Table that makes this still vulnerable to attack.

A rainbow table is essentially a database of the output common words run through a hashing function. If someone was able to get at, or guess your hashing function, they could create one of these tables, filled with any word you'd be likely to use in a password.

From this table, they could then combine these words in various combinations (in an automated way, of course), and eventually stumble upon your password and break in to your account.

Pass the salt

In comes the concept of a salt. While this at first just sounds like a tasty condiment, in the world of computers and security this really just refers to a random string.

Unlike our FJSHARF$%^&TGIUND hash above, which will produce the same result for a given input, a salt is truly random. Calling your salt function might produce ukf67rfi7uyf or it might produce 7t3or8agi4 at any given time.

This random string is used as a second input for your hashing function, so that its value actually changes the output. See at the top how we've used bcrypt's genSaltSync function as another parameter. If we were to feed a different salt in with the unhashed string, we'd get an entirely new hashed output.

salt = generateSalt() 
// ukf67rfi7uyf
A = hash(password, salt)
// returns hashed password alongside the salt, like F5ED4%$DAA/ukf67rfi7uyf

This salt is stored alongside your hashed password value in the database, so you can match the passwords later entered by users.

The key about why this is awesome is - this second salt parameter means that instead of having one hashing function, you essentially have as many different functions as random strings you can generate with your hashing function.

Without knowing the salt value as well, it's damn near impossible to guess your password...even if you know the hashing function! I say 'near' because it's technically possible, but it would take years of computing cycles for a single password. Essentially, you'd have to generate not one rainbow table, but an incredible number of them (all the possible salts), and then run every possible word through all of those.

Needless to say - it's unlikely to happen.

Captain hashfunc, he's our hero

Hopefully you'll have come out of this text with a better understanding of why hashing and salts are truly essential technologies in our age. When I first learned this it blew my mind, and hopefully it will for you as well.

For more information, definitely check out the article on bcrypt on wikipedia and, if you're a Javascript developer, the npm bcrypt module.


development , security , javascript , hashing

About the author
comments powered by Disqus