Is My Password Really Safe? Understanding Hashing, Salt, and Pepper in Real-World Security

날짜:


The Illusion of “Encrypted” Passwords




"Your password is securely encrypted."
We often see this phrase when signing up for a website. It sounds like your password is locked inside a digital vault — impenetrable. But reality paints a different picture.

In 2024 alone, hundreds of major data breaches occurred. In many of them, companies claimed the passwords were “encrypted,” yet attackers easily cracked them. Why?

Because they didn’t say how those passwords were stored. Old hash algorithms, no salt, no pepper — that’s where the real danger lies. In this article, we’ll break down the key components of password security: hashing, salt, pepper, and key stretching — using real-world hacking scenarios for context.

What Is Hashing? A Blender for Passwords




A hash function takes data of any size and transforms it into a fixed-length string. Think of it as a blender: put in a strawberry, and you get a smoothie. You can't reconstruct the original strawberry from the smoothie — that's the point.

Example:
Input: password123
SHA-256 Hash:
ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f

Because hashing is one-way, websites don’t store your actual password — they store the hash. During login, the password you enter is hashed and compared with the saved hash.

But there's a catch: hashing alone is not enough.

Why Simple Hashing Fails: Rainbow Tables and GPU Attacks




If a service just hashes your password, you're still at risk. Here’s why:

1. Rainbow Table Attack

Hackers have precomputed hashes of billions of commonly used passwords (123456, qwerty, password, etc.). This massive lookup table is called a rainbow table.

Example:
If a database contains the hash 5f4dcc3b5aa765d61d8327deb882cf99, a hacker can instantly identify it as the hash of password.

2. Brute-force with GPUs

Modern attackers use high-performance GPUs or FPGAs to try billions of password guesses per second. What used to take months now takes seconds — especially with weak or reused passwords.

Adding Salt: Making Every Password Unique



Salt is a random string added to a password before hashing. It ensures even identical passwords produce different hashes.

Example:

  • User A: password123 + Salt: XyZ82!k → Hash A

  • User B: password123 + Salt: aB1@cDe → Hash B

Because every user's salt is unique, attackers must create a new rainbow table for every salt combination — making such attacks impractical.

Fighting Modern Threats: Key Stretching and Pepper




1. Key Stretching: Slowing Down the Attackers

Instead of hashing just once, key stretching hashes the password tens of thousands of times, dramatically slowing down brute-force attempts.

For regular users, login takes just a fraction of a second. But for hackers trying billions of guesses, this delay can multiply into centuries.

Recommended algorithms:

  • Argon2id (current industry standard)

  • Bcrypt

  • Scrypt

2. Pepper: The Secret Ingredient

A pepper is a secret key stored on the server (not in the database). Unlike salts, which are different for each user, pepper is a single global secret.

Even if a hacker steals the entire user database, they can’t generate the correct hash without the pepper — unless they also compromise the server application or its source code.

What Does Secure Password Storage Look Like?

A properly secured password should include all of the following:

  • Algorithm: Use modern hashing with key stretching (Argon2id, Bcrypt)

  • Salt: Generate a cryptographically strong, unique salt per user

  • Key Stretching: Apply sufficient iterations/work factor to slow down brute-force

  • Pepper: Store a secret key separately from the database

✅ Final formula:
Argon2id(password + user-specific salt + site-wide pepper, iterations)

What Should You Do as a User?




You have no control over how a website stores your password. So relying on the word "encrypted" is risky. Your best defense is good password hygiene, regardless of what happens on the server side.

Practical Steps:

  • Use a Password Manager: Tools like LastPass or 1Password generate and store long, unique passwords for every site.

  • Enable Two-Factor Authentication (2FA/MFA): Even if a password leaks, login requires approval from your phone or email.

Your Data Is Only as Secure as Your Habits




You can’t always trust how securely a company stores your credentials. But you can control how you use them.

🔒 Don’t reuse passwords.
🔒 Don’t rely on websites to protect you.
🔒 Don’t skip 2FA.

In today’s digital world, your information is your asset. Keeping it safe starts with how you protect your passwords — not just how others store them.


댓글

댓글 쓰기