Proton

If you’re comparing different password managers or researching password security, you’ll quickly run into terms like hashing and salting. While these terms might sound like steps you take to make breakfast potatoes, they’re actually processes that are essential to securing any online account. 

This article explains what password hashing and salting mean, how they work, and why they’re necessary.

Password hashing

Password salting

How we secure passwords at Proton

Password hashing

Hashing is a way to scramble information into a fixed-length string of letters and numbers. You  can take unencrypted information, be it a password, image, or entire book, and feed it into a hash function, which turns that information into a hash value with a specific number of characters. For example, SHA-256, one of the most common hash functions, always creates 256-bit (32-byte) hash values.

Create your own hash values(nova janela)

Besides creating a fixed-length product, there are two other things that distinguish hashing from standard encryption. Hashing is:

  • Irreversible — You cannot “unhash” (or regenerate the original information) a hash value no matter what you do. 
  • Deterministic — If you enter the same input information into a hash function, it will return the same hash value every time. 
  • Unpredictable — It should be almost impossible to guess its resulting hash value for any given input information. In fact, if you can take a hash value and easily guess or create the input that would generate that hash value, then that hash function should be considered vulnerable and avoided.

These three characteristics make hashing a good way to securely store and verify passwords. 

Hashing, password storage, and password authentication

When you create a new online account, you invariably provide a username (usually your email address) and create a password. This lets the service know who you are and verify that it’s actually you.

But the password creates a tricky problem for service providers. They essentially have three options. They can store your password in plaintext, encrypted, or hashed. 

It doesn’t take a cybersecurity expert to see the problems with storing passwords in plaintext. This would let the service access your account whenever it wants, and your password would be exposed if there was ever a breach. 

Encryption also doesn’t work. If a service encrypts a password using keys it controls, it can still access your password whenever (and potentially expose it in a breach). And it can’t encrypt your password using a key it doesn’t control (a key that’s on your device, for example) because that doesn’t allow it to verify that your password is correct when you log in. 

Hashing is a good compromise. Because hashing is irreversible, services can store your password and assure its users that it can’t access their accounts and that their passwords will be safe in a breach. 

And because hashing is deterministic, a service can verify a password by comparing the two hash values. If the hash values match, the service knows the input information (the passwords) match, even if the service doesn’t know what the actual password is.  

It’s a clever system, but hashing has an issue with predictability. If you assume that one of the most common passwords for any service will be “password”. With this information, you can probably find the accounts that use “password” simply by looking at the most repeated hash values.

In fact, there is a cyberattack devoted to cracking hashes using so-called rainbow tables, which compile hashes and try to make sense of the rules governing them in large tables. They’re effective exactly because hashes are predictable.

Password salting

To minimize a hash function’s predictability, programmers use salting. Salting is a technique that takes the predictable hash function and adds some extra “flavor” — hence the term “salt” — in the form of unpredictability. A salt is a short set of random characters added to each password before it’s hashed. 

What makes a salt special is that each one is unique to each user. If you create a password with a service, it’s assigned a salt that nobody else has. If you change your password, some services will use a new salt to go with it. This essentially ensures that no password (and therefore, no hash value) is ever repeated as long as a new, random salt value is used for each new password. 

This makes the task of any would-be attacker a lot harder. Their rainbow tables are useless since salting makes the hash values unpredictable. All that remains is to make sure that your password is random enough to deter any dictionary attacks.

How we secure passwords at Proton

At Proton, we put our users’ privacy and security first. We never send your password to our servers, relying instead on the Secure Remote Password (SRP) protocol. SRP allows a user to authenticate themselves to a server (and vice versa) by proving that they know the password without sharing the password itself or any information that an attacker could use to derive the password (like a hash sum, for example). Your password remains secure on your device. 

Learn more about how Proton uses SRP

We do use hashing and salting, but for your account keys. Once you successfully log in, Proton sends your account keys to your client. Your client then salts and hashes your password using bcrypt and uses the resulting hash value as the key to decrypt your account key. Once your account key is decrypted, it can then be used to access your emails, calendars, etc. This process happens locally on your device so your password and hash never leaves it.

You can extend this level of protection to your other accounts as well with Proton Pass, our end-to-end encrypted password manager.

As you can read in our full breakdown of the Proton Pass security model, we end-to-end encrypt your passwords individually as well as the vaults where you store them, preventing anyone, including us, from being able to see your items at any point in the transfer process. 

We can offer this kind of enhanced security because we’re funded entirely by you, our users. Without shareholders or venture capital investors to worry about, we can focus on developing tools that offer the very best in security and usability without cutting costs or corners.
The result is a service that puts you first, whether it’s having the best encryption technology or offering a best-in-class interface. If that sounds like something you would like to try for yourself, join Proton Pass today.

Artigos relacionados

Investigative journalist Vegas Tenold explains the gear he uses to protect his privacy and stay safe.
en
  • Notícias sobre a privacidade
Follow investigative journalist Vegas Tenold as he explains his gear and how it keeps him safe from surveillance as he works in the field.
Coinbase, the largest Bitcoin exchange in the US, suffered a data breach
en
  • Notícias sobre a privacidade
  • Proton Wallet
Coinbase employees sold sensitive personal information to attackers, including government IDs and BTC transaction history. Proton Wallet is built to avoid these risks.
Whistleblower's whistle. Journalists must use secure channels to communicate with whistleblowers.
en
  • Guias de privacidade
Whistleblowers risk everything to expose the truth. This guide helps journalists keep their sources safe using secure tools like Proton Mail, Signal, and SecureDrop.
An image showing a phone screen with a child icon and three icons with '17+' '8-12' and '3-5' to indicate age ratings
en
  • Guias de privacidade
Parents can help their children develop healthy screen habits by learning about dark design patterns — Proton investigates how
en
Read what age experts say you should let your child use different platforms and how you can help set them up for success.
Roblox has been accused for years of exposing kids to inappropriate content and bad actors. We describe its safety features
en
  • Guias de privacidade
Roblox has suffered scandals over inappropriate content. We share what you need to know and what you can do to use it more safely.