Implementing Expensive Salt for Secure Password Storage

in

You don’t want anyone else to see them or steal them, right? Well, one way to do this is by using an expensive salt.

Now, let me explain what I mean by “expensive”. When we say something is expensive, it doesn’t necessarily mean that you have to pay a lot of money for it (although in some cases, that might be true). In computer science terms, when we talk about an expensive operation or function, we usually mean that it takes a long time to execute.

So, how does this relate to password storage? Well, let’s say you have a list of 100 passwords and you want to store them in your database. Instead of just storing the plain text version of each password (which would be very easy for someone to steal or hack), you can first apply an expensive salt to each password before storing it.

What’s a salt, you ask? A salt is basically a random string that gets added to your password before it’s hashed. This helps prevent attackers from using pre-computed rainbow tables (which are essentially lists of commonly used passwords and their corresponding hash values) to crack your password database.

Now, let me explain how the expensive salt works in more detail. First, you generate a random string for each password that’s being stored. This could be anything from a few bytes to several kilobytes (depending on how much security you need). Next, you concatenate this random string with your actual password and then hash the result using a slow hashing function like bcrypt or scrypt.

The reason why we use a slow hashing function is because it makes it more difficult for attackers to crack your password database by brute force (i.e., trying every possible combination of characters until they find the right one). By adding an expensive salt to each password, you’re essentially making it much harder and more time-consuming for someone to steal or hack your data.

That’s how implementing an expensive salt can help secure your password storage. It may seem like a small thing, but trust me it makes a big difference in terms of protecting your sensitive information from prying eyes and malicious actors.

SICORPS