Insights For Success

Strategy, Innovation, Leadership and Security

Attack

What is salting and hashing a password?

GeneralEdward Kiledjian

The LastPass hacking saga has led to non-technical users reading articles using terms such as salting and hashing, which may seem alien to them. A few people contacted me asking what they do, and I wanted to write a short post describing them.

Salting is the process of adding random data, referred to as "a salt," to a password before it is hashed. This technique helps protect against dictionary attacks, in which an attacker attempts to crack a hashed password using a pre-computed list of common passwords. A unique salt is added to each password so that the hashed value will be different even if the same password is used multiple times.

The process of hashing involves taking an input (or message) and converting it into a fixed-length string of characters called a 'hash value'. The same input will always produce the same hash value; however, a minor change to the input will result in a vastly different hash value. As a result, it is extremely difficult for an attacker to reverse engineer the original input from the hash value.

The combination of salting and hashing provides a high level of protection for passwords and other sensitive information. During the creation of a password, the salt is added to the password, and the resulting value is hashed. The hashed value, as well as the salt, is then stored in a database. When the user enters their password to log in, the system adds the same salt to the entered password, hashes it, and compares the resulting value to the stored hash. Access is granted to the user if the values match.

Although salting and hashing provide a high level of security, they are not foolproof. Therefore, you should still use a strong and unique password.

Keywords: Salting, Hashing, Encryption, Password security, Dictionary attacks, Data privacy, Hash functions, Cryptography, Information security, Data integrity, One-way functions, Secure password management, Hash algorithm, Password hashing, Password protection.

Unlocking the Secrets of ECB and CBC: A Guide to Encryption Methods

GeneralEdward Kiledjian

Cryptography methods such as Electronic Code Book (ECB) and Cipher Block Chaining (CBC) are widely used.

ECB is a simple method of encrypting plaintext by dividing it into fixed-size blocks and encrypting each block independently using the same secret key. In other words, if the same plaintext block appears more than once in the message, it will be encrypted into the same ciphertext block (aka will look the same). The ECB encryption method is relatively easy to implement; however, it can be vulnerable to certain types of attacks, such as pattern recognition.

By contrast, CBC is a more secure encryption method that addresses the weaknesses of ECB. CBC encrypts plaintext blocks using the same key and combines them with the previous ciphertext blocks through an operation called an XOR. Thus, even if the same plaintext block appears multiple times in the message, it will be encrypted to a different ciphertext block each time.

The major difference between ECB and CBC is that ECB encrypts each block independently, whereas CBC encrypts each block with the previous block. CBC is therefore considered more secure and resistant to pattern recognition attacks than ECB.

Implementation of CBC mode requires an initialization vector (IV), which is a random value added to the first plaintext block before encryption. An IV is sent along with an encrypted message, so the receiver can use it to decrypt it.

ECB and CBC are symmetric-key encryption methods, meaning that the same key is used for encryption and decryption. As computing power increases, it becomes increasingly important to use more secure encryption methods, such as AES-GCM or RSA-OAEP.

Keywords: Encryption, ECB (Electronic Code Book), CBC (Cipher Block Chaining), Symmetric-key encryption, AES-GCM, RSA-OAEP, Data security, Pattern recognition attack, Initialization vector (IV), Encryption methods, Data privacy, Information security