What is a Password Hash and Salt?
By Stephen Bucaro
If you have a web application that requires user accounts, never store a user's password as plain-text.
When a user creates a password, a hashing algorithm is performed on the password before it is stored in
a database. When the user attempts to login, the password that they enter is hashed, and compared to the
hashed value stored for that particular user name.
Hashing algorithm is similar to encryption in that a secret key is used with a mathematical algorithm
to create a hash, except hashing always produces a fixed length result, regardless of the length of
the password being hashed. In addition, a hashing algorithm is a one-way operation, even if you know
the key you can not use it to reverse the hash.
To increase the security of a hashed password, a random value called salt is added to the hash
value. The salt value is generated one time when the user creates their password, and it is stored
along with the user's hashed password. Adding a random salt value to a user's hashed password insures
that two users with the same password have different salted hashes.
• It would NOT be a good idea to inform a prospective user (possible hacker) that a
particular password is already in use.
If you don't want to create your own hashing function, you can use an existing standard hashing function.
| Algorythm | Hash Length |
| MD5 | 128 |
| AES | 256 |
| SHA-1 | 160 |
| SHA-256 | 256 |
• SHA stands for (Secure Hashing Algorithm) stands for AES (Advanced Encryption Standard).
There are many more standard hashing algorithms.
You could design your own hashing algorithm, or use the code available on the Internet for one of the
standard algorithms. Programming languages include hashing functions, for example PHP's hash() function.
Example code of PHP's hash() function use is shown below.
$password = hash("sha256", $password);
Note the first parameter to the hash function is the name of the hash algorithm to use. The second
parameter is the password string to be hashed. The function returns the hashed string.
More Network Security Articles:
• Firewall Internet Security - The Basics of a Firewall
• Cyber Security Tips for Small and Medium Business (SMB)
• Types of DoS (Denial of Service) Attacks
• Network Security by Filtering
• Difference Between Rule and Role Based Access Control
• Design a Network Security Policy
• Network Security Model - Defining an Enterprise Security Strategy
• How to Tell if Someone is Lurking on Your Wireless Network
• Prevent Hacking with Password-Cracking Countermeasures
• What is a Botnet Attack and How to Identify It?
| 
About BTH
User Agreement
Privacy
Site Map
Contact
News Feeds
RSS Feed
Follow @Stephen Bucaro
Basics and Certification
