Proton

If you’re comparing different password managers or researching password security, you’ll quickly run into terms like hashing and salting. While these terms might sound like steps you take to make breakfast potatoes, they’re actually processes that are essential to securing any online account. 

This article explains what password hashing and salting mean, how they work, and why they’re necessary.

Password hashing

Password salting

How we secure passwords at Proton

Password hashing

Hashing is a way to scramble information into a fixed-length string of letters and numbers. You  can take unencrypted information, be it a password, image, or entire book, and feed it into a hash function, which turns that information into a hash value with a specific number of characters. For example, SHA-256, one of the most common hash functions, always creates 256-bit (32-byte) hash values.

Create your own hash values(new window)

Besides creating a fixed-length product, there are two other things that distinguish hashing from standard encryption. Hashing is:

  • Irreversible — You cannot “unhash” (or regenerate the original information) a hash value no matter what you do. 
  • Deterministic — If you enter the same input information into a hash function, it will return the same hash value every time. 
  • Unpredictable — It should be almost impossible to guess its resulting hash value for any given input information. In fact, if you can take a hash value and easily guess or create the input that would generate that hash value, then that hash function should be considered vulnerable and avoided.

These three characteristics make hashing a good way to securely store and verify passwords. 

Hashing, password storage, and password authentication

When you create a new online account, you invariably provide a username (usually your email address) and create a password. This lets the service know who you are and verify that it’s actually you.

But the password creates a tricky problem for service providers. They essentially have three options. They can store your password in plaintext, encrypted, or hashed. 

It doesn’t take a cybersecurity expert to see the problems with storing passwords in plaintext. This would let the service access your account whenever it wants, and your password would be exposed if there was ever a breach. 

Encryption also doesn’t work. If a service encrypts a password using keys it controls, it can still access your password whenever (and potentially expose it in a breach). And it can’t encrypt your password using a key it doesn’t control (a key that’s on your device, for example) because that doesn’t allow it to verify that your password is correct when you log in. 

Hashing is a good compromise. Because hashing is irreversible, services can store your password and assure its users that it can’t access their accounts and that their passwords will be safe in a breach. 

And because hashing is deterministic, a service can verify a password by comparing the two hash values. If the hash values match, the service knows the input information (the passwords) match, even if the service doesn’t know what the actual password is.  

It’s a clever system, but hashing has an issue with predictability. If you assume that one of the most common passwords for any service will be “password”. With this information, you can probably find the accounts that use “password” simply by looking at the most repeated hash values.

In fact, there is a cyberattack devoted to cracking hashes using so-called rainbow tables, which compile hashes and try to make sense of the rules governing them in large tables. They’re effective exactly because hashes are predictable.

Password salting

To minimize a hash function’s predictability, programmers use salting. Salting is a technique that takes the predictable hash function and adds some extra “flavor” — hence the term “salt” — in the form of unpredictability. A salt is a short set of random characters added to each password before it’s hashed. 

What makes a salt special is that each one is unique to each user. If you create a password with a service, it’s assigned a salt that nobody else has. If you change your password, some services will use a new salt to go with it. This essentially ensures that no password (and therefore, no hash value) is ever repeated as long as a new, random salt value is used for each new password. 

This makes the task of any would-be attacker a lot harder. Their rainbow tables are useless since salting makes the hash values unpredictable. All that remains is to make sure that your password is random enough to deter any dictionary attacks.

How we secure passwords at Proton

At Proton, we put our users’ privacy and security first. We never send your password to our servers, relying instead on the Secure Remote Password (SRP) protocol. SRP allows a user to authenticate themselves to a server (and vice versa) by proving that they know the password without sharing the password itself or any information that an attacker could use to derive the password (like a hash sum, for example). Your password remains secure on your device. 

Learn more about how Proton uses SRP

We do use hashing and salting, but for your account keys. Once you successfully log in, Proton sends your account keys to your client. Your client then salts and hashes your password using bcrypt and uses the resulting hash value as the key to decrypt your account key. Once your account key is decrypted, it can then be used to access your emails, calendars, etc. This process happens locally on your device so your password and hash never leaves it.

You can extend this level of protection to your other accounts as well with Proton Pass, our end-to-end encrypted password manager.

As you can read in our full breakdown of the Proton Pass security model, we end-to-end encrypt your passwords individually as well as the vaults where you store them, preventing anyone, including us, from being able to see your items at any point in the transfer process. 

We can offer this kind of enhanced security because we’re funded entirely by you, our users. Without shareholders or venture capital investors to worry about, we can focus on developing tools that offer the very best in security and usability without cutting costs or corners.
The result is a service that puts you first, whether it’s having the best encryption technology or offering a best-in-class interface. If that sounds like something you would like to try for yourself, join Proton Pass today.

Обеспечьте конфиденциальность своих данных с Proton
Создать бесплатный аккаунт

Статьи по теме

Proton Wallet
en
  • Новости о продуктах
  • Новости Proton
  • Proton Wallet
WHAT IS PROTON WALLET? Our long-term vision is for Proton Wallet to be a digital wallet that gives you full control of your digital assets. While the type of assets that you can hold in Proton Wallet may evolve over time as we add more capabilities
en
  • Советы о конфиденциальности
Bitcoin is an innovative payment network that leverages peer-to-peer transactions to remove the need for a central bank. Bitcoin has revolutionized the core principles of value exchange by showing that a network of fully independent nodes can operate
en
  • Новости о продуктах
  • Proton Wallet
Proton Wallet is a digital asset wallet that currently supports self-custody on-chain Bitcoin. In this article, we review the key features and security architecture that make Proton Wallet a private and secure wallet that is as easy to use as email.
proton scribe
en
Most of us send emails every day. Finding the right words and tone, however, can take up a lot of time. Today we’re introducing Proton Scribe, a smart, privacy-first writing assistant built right into Proton Mail that helps you compose and improve yo
en
People and companies are generally subject to the laws of the country and city where they are located, and those laws can change when they move to a new place. However, the situation becomes more complicated when considering data, which can be subjec
en
  • Советы о конфиденциальности
Your online data is no longer just used for ads but also for training AI. Google uses publicly available information to train its AI models, raising concerns over whether AI is even compatible with data protection laws. People are worried companies