NanoToolkit Blog

The Way to Keep in Touch.

Password Security is all about degrees of difficulty

Most Modern applications these days hash their passwords using some variant of one-way-hashing algorithms such as SHA-1 or SHA256. Most these apps also add an encryption-salt to it as well.

Some folks subscribe to idea that you should hash a password repeatedly for n number of times. This ensures that you achieve the best level of chain hashing. you also increase the work required for any possible hacker to un-hash the password because the chained hashing adds an unsymmetrical extra burden of compute during the un-hashing process.

The challenge is of course that you shouldn’t really use the same salt for all your passwords. But you can’t use random salts either because if you use a random salt there is no way for you to reproduce that exact salt to reproduce the one-way hash. The conclusion might be to perhaps use an arbitrary data such a timestamp or the original first name the user provided as the salt. It is also possible to persist the salt used for hashing. But the reality is if a somebody manages to steal away you data they might also easily steal your code as well. So what is the best path forward? The solution might be to produce the salt using a partially hardcoded salt in your code as well as a salt based on a time-stamp when the user sets their password. One can increase the randomization by perhaps varying the hard-coded portion of the salt based on the month and or the hour that the password was hashed in.