“Salt Preserve Us”

 » February 18th, 2014

With the latest service breach / data theft making the rounds, discussion has turned again to password hashing, which inevitably leads to a discussion of hash salting. Before I go any further, though, I’m going to cop right now to ripping this post’s title off of a brilliant reddit comment by pellets.

Inevitably, though, somebody (or some company, for fuck’s sake Adobe) is going to take your trust for granted and fuck up your password right out into the open internet. As a result, it’s been standard practice for a while to advice that people don’t use the same password for multiple services. This limits the damage that a password leak can do to you, and it’s a great idea. But it gets us back to one of the age-old problems of computer security: strong and diverse passwords are harder to remember, and thus more likely to be written down (often in terribly conspicuous places).

For some, the solution to this is a service like 1Password, which provide a secure barracks to house your army of strong, unique passwords. That being said, these services aren’t for everyone. Perhaps you’re in a situation where you’re frequently manually entering passwords that can’t be saved. Maybe you don’t trust the keys to your kingdom to a single point of failure – after all, untrustworthy security practices by a third party are what got us into this mess to begin with.

If you find yourself in this situation, I’ve got something else to propose: pre-salt your own passwords. Start with a strong initial password, and employ a deterministic variation for each service you use the password with. Let’s start with a example. (This won’t be great, for reasons we’ll explore further down, but it’s illustrative nonetheless.)

Base password: gh23^^1kJa
Variation: prepend the first letter of the service to your password
Result: Gmail becomes ggh23^^1kJa; Hotmail becomes hgh23^^1kJa; Kickstarter becomes kgh23^^1kJa

Why isn’t this a great example? Well, a good scheme should have a few important qualities. Let’s pick apart the example above:

1. Low variation scheme guessability: In the above example, our variation scheme is potentially pretty easy to guess. If one of your passwords was compromised (say, your Kickstarter password), it’s possible that somebody could presume that you’re pre-salting, and try to guess at your scheme with some success. (Whether anybody would ever actually try something like this another question.)

2. Low collisions: Right now, all services that begin with the same letter will collide. Your Gmail password will be your Github password, for example, due to the same initial letter of both services.

So what to do? Be creative with your variation scheme. Use more than one letter. Use the second and third letters of the service name. Insert them in the middle of your password. Use the next letter in the alphabet. It’s reasonably unlikely that somebody will guess that you’re pre-salting and unwind something like gh2h3^^1kJa to figure out how you varied it for Gmail.

This is obviously no panacea to the various issues around password security, but if you find yourself in need of a set of unique, strong passwords and you want to store them all in your head, you could do worse than adding a little salt.