You have probably read about PBKDF2 if you have read any article discussing the LastPass hack or reviewing the security of a password manager. For non-technical readers, I wanted to write a quick explanation.

PBKDF2 (Password-Based Key Derivation Function 2) is a widely used method of protecting passwords.

A key derivation function such as PBKDF2 is designed to make it more difficult for an attacker to crack a password, even if they possess the hashed password value. This is accomplished by adding a "work factor," or iteration count, to the password hashing process. Iteration count refers to the number of times the hashing function is applied to the password, making cracking the password much more computationally costly.

PBKDF2 is widely used in a variety of applications, including online services, financial systems, and mobile devices.

With PBKDF2, the user's password is concatenated with a salt and the iteration count, and the result is then hashed using a cryptographic hash function such as SHA-256. The salt, the number of iterations, and the resulting hash value are then stored in a database. Upon logging in, the system uses the same salt, iteration count, and hash function to compare the entered password with the stored hash. The user is granted access if the values match.

It is important to use a strong and unique password and keep the salt and hashed values secure. Even though PBKDF2 is considered a strong method, more advanced key derivation functions such as bcrypt and scrypt are now available and recommended where more stringent security is required.

Keywords: PBKDF2 (Password-Based Key Derivation Function 2), Password protection, Key derivation function, Hashed password, Iteration count, Cryptographic hash function, SHA-256, Password storage, NIST guidelines, Security, Encryption, bcrypt, script, Work factor, Data privacy, Information security

What is salting and hashing a password?

January 24, 2023GeneralEdward Kiledjian

The LastPass hacking saga has led to non-technical users reading articles using terms such as salting and hashing, which may seem alien to them. A few people contacted me asking what they do, and I wanted to write a short post describing them.

Salting is the process of adding random data, referred to as "a salt," to a password before it is hashed. This technique helps protect against dictionary attacks, in which an attacker attempts to crack a hashed password using a pre-computed list of common passwords. A unique salt is added to each password so that the hashed value will be different even if the same password is used multiple times.

The process of hashing involves taking an input (or message) and converting it into a fixed-length string of characters called a 'hash value'. The same input will always produce the same hash value; however, a minor change to the input will result in a vastly different hash value. As a result, it is extremely difficult for an attacker to reverse engineer the original input from the hash value.

The combination of salting and hashing provides a high level of protection for passwords and other sensitive information. During the creation of a password, the salt is added to the password, and the resulting value is hashed. The hashed value, as well as the salt, is then stored in a database. When the user enters their password to log in, the system adds the same salt to the entered password, hashes it, and compares the resulting value to the stored hash. Access is granted to the user if the values match.

Although salting and hashing provide a high level of security, they are not foolproof. Therefore, you should still use a strong and unique password.

Keywords: Salting, Hashing, Encryption, Password security, Dictionary attacks, Data privacy, Hash functions, Cryptography, Information security, Data integrity, One-way functions, Secure password management, Hash algorithm, Password hashing, Password protection.

What is PBKDF2?

What is salting and hashing a password?

A Little About Me —