Page 23 - 11Cyber
P. 23
(Continued from page 22) Salt it yourself
not, then you should. But wait, you say. I do not know if that site
Let the cook add the salt. is using Salt (and no one should ever an-
swer that question about their data). So,
In this case, the 'cook' is the guy in the IT shop who what can you, as the customer do? Bring
wrote the routines that are hashing and saved the your own Salt!
password you entered. Salting is adding something
to the hash to make it different. For instance, adding Salt all your passwords. Use whatever
the word Salt to helloworld and then hashing hel- trick works for you to add your special
loworldSalt OR Salthelloworld will generate new, something to EVERY password you cre-
unique hash values. This is good. ate.
Here is how it works. (And I am going to shorten the Also, if you use a short-length Master password for
hash just to make this readable) your Password Manager, Salt it too. (Or better yet,
make it a long, easy phrase.) Simply add Salt when
If helloworld = fc5e0380 then helloworldSalt = you type it in. Now, if anyone finds that sticky note
er8d25a9 that says your password is 'Arenteyespecial?' they will
Now when they look for fc5e0380 (the word in their get nowhere without your special seasoning. (And no,
standard password list), they will not find it. don't write your salt down next to the beef.) And for all
the passwords in your Password Manager, store them
The bad guys will have to re-do their entire hash plain, and add the Salt during your login, and no one
table dictionary if the cook adds the same salt to would ever know. If your plain character passwords
every word when they hash it. Thus, more time is
added, delaying their access, and costing them are ever compromised, none of those passwords will
money. work. Frustrating the bad guy, saving your bacon (and
everything is better with bacon).
But the better site managers change the Salt shaker SO, here are some lessons learned.
on every item. So the Salt can (must) be different
(random) for every single entry in the database. This • Always Use a Password Manager program or app
really disrupts the hacker's day because they must with a long master passphrase
re-hash every standard password with every salt. • Create a long and seemingly random password
That is effectively impossible.
for every site (easy to do with most Password
Using our example, we could have three customers Manager programs/apps)
with the same password but now (salted with 'Salt,' • Change that password periodically
'69b21' and 'pqv42')
• Never reuse that password on other websites
1 helloworldSalt = er8d25a9
• Add Salt (8 t0 12 characters is a good start)
2 helloworld69b21 = a6d51cbc
And did I mention….You should always use a Pass-
3 helloworldpqv42 = f56702622
word Manager ‘cuz your memory ain't that great.
Now no matter what they have in their dictionary for In part 2, titled 'The Monkey & the Typewriter,' I will
helloworld, they can never find it in the target file.
teach you how those hash algorithms work, why no
For more about Salting, plus a very excellent de- one can reverse (un-encrypt, decode, break, crack,
scription of the Dictionary process I have described, hack - call it what you want) a hashed input. And I will
you should read (5) at even make you smart enough to create an 11-
https://auth0.com/blog/adding-salt-to-hashing-a- character hash when given a LONG input string. I
better-way-to-store-passwords/ promise you will never try to reverse a hash again.
And I will show you more examples of how the bad
guys do their thing to make you think they are
(Continued on page 24)
Cyber Awareness Bulletin 23 October 2021
