Password Salting is a technique used to help protect passwords stored in a database from being reverse-engineered by hackers who might breach the environment. Password salting involves adding a string of between 32 or more characters to a password and then hashing it. Password salting is one of the most secure ways to protect passwords stored for future authentication without exposing them should your website be breached in the future. However, salted passwords must also be iteratively hashed multiple times for this protection to work. When salting and recursive hashing are employed, Rainbow Tables become useless for password cracking.
What does this mean for an SMB?
- Make sure the salt isn’t too short and do not simply use the usernames of the password as your salts. Salts should be 32 characters or longer in length.
- Avoid using outdated hashing algorithms, such as MD5 and SHA1.
- Ensure you hash the salted passwords multiple times. For the average website, you’ll want to recursively hash 1000’s of times. If you’re like LastPass, storing the Master Password, you’ll need to perform 100,000 recursive hashes before storing the results for future comparison.
- Finally, the first and best prevention method is to educate your employees on the threats they face. Educating your employees on the cybersecurity basics can stop these attacks before they succeed.