Add Salt To Make Your Encryptions Better

Encryption

Needing Salt

There are few things that aren't better once salt has been added, and encryptions are no different. Adding a salt can make a simple encryption exponentially harder to break/crack. "Salt data complicates dictionary attacks that use pre-encryption of dictionary entries: Each bit of salt used doubles the amount of storage and computation required" (Wikipedia). You can see that by adding a good sized salt, the encryption can become very difficult to break by dictionary or other brute force attacks. A lot of programmers rely entirely on the md5 encryption for storing passwords because it is built into both PHP and MySQL. While md5 is an easy function to implement, it is pretty easily reversed using rainbow tables. Thankfully, there are many other available encryption options that include salt, and the best part about adding salt to your encryption is how easily it can be done.

Adding Salt

  • PHP - crypt("string to encrypt","salt")
  • Perl - crypt("string to encrypt","salt")
  • ASP - Set crypt = Server.CreateObject("Persits.CryptoManager")
    Set ctx = crypt.OpenContext("", True)
    Set hash = ctx.CreateHash
    hash.AddText Request("string to encrypt") & salt
    hashvalue = hash.Value.Hex
  • Ruby On Rails - "string to encrypt".crypt("salt")
  • Python - crypt("string to encrypt","salt")

Enjoying Salt

Now that you have added salt to your encryption, I'm sure you would like to know how much more secure that encrypted string really is. This is actually a very easy calculation. Let's say for example that you know your users are creating easy passwords that they can remember and are therefore picking words out of the dictionary. The users are picking from let's say around 100,000 of the words in the English language. Using encryption without salt, basic brute force attacks would have to compute 100,000 hashes to find the correct one. On the other hand, if you take their password from the dictionary and add a salt, using say a 32 bit salt, the same size as md5 encryption, you multiply the word possibilities by the salt possibilities; see below:

  • Password Possibilities: 100,000
  • Salt Possibilities: 2^32
Hash calculations needed = Password Possibilities * Salt Possibilities
Hash calculations needed = 100,000 * 2^32
Hash calculations needed = 429,496,729,600,000

This basic calculation shows that simply adding a salt makes the encryption 4,294,967,296 times harder to break.

Additional Resources

2 Comments

  • Eric on Tuesday, April 28, 2009 at 9:24 am says...

    corner

    Very helpful. Simple enough to understand. Thanks for showing some code examples.

  • Human_Bagel on Thursday, September 3, 2009 at 2:07 pm says...

    corner

    I would personally use the hash() function in PHP, as the crypt() function creates a weak hash.
    example:
    hash(‘whirlpool’, $string . $salt);

    or

    hash(‘ripemd160′, $string . $salt);

    Another point to consider is to not use printable characters for salts, I like to use unicode, such as in PHP:
    $salt = chr(2231) . chr(7761) . chr(1211) . “\s \t\b”;