Common Password Salting
You use the same password on more than one site. Admit it. Everyone does it. It’s a dirty little secret that nobody talks about. Maybe you make yourself feel safer by using a different password for your bank, or for online stores.
Here’s the problem.
There’s a relatively new trick, some would say evil trick, that a few sites are using, that exploits the fact that so many people use the same username and password over and over. I know of at least two sites that do this. Here’s how it works.
Someone sends you an invitation, or you read about a new “social networking” site. Sounds cool, so you have a look. It’s interesting enough that you sign up, entering your common login and password.
What this site does next is tries to connect to other sites, using that exact same name and password, to send out invitations from you to try out this new site.
Some sites will tell you they’re going to do this; some won’t. If you log into a site and suddenly see that it’s figured out who your friends are, be suspicious. It’s probably connected to your Yahoo Mail account or Hotmail account or some other account that you use and swiped all your friends’ names and contact info.
Now your friends are getting messages from you saying “Hello Bob, I’ve found this great new site! Come join it!”. This is a great way to lose a few friends.
So what’s the solution?
Network security gurus would tell you the solution is obvious and you’re an idiot for not implementing it sooner. Simply use a different combination of upper and lowercase letters, numbers and punctuation at least 8 characters long on every site you visit.
Yeah, not gonna happen, is it?
So you’re going to use the same password on multiple sites. Here’s a way to at least keep these sites from automatically “sharing” your information amongst themselves. Salting.
A salt is defined as a random number that is added to the encryption key or to a password to protect them from disclosure. But in this case, it’s not a random number (since that wouldn’t be easy to remember either), but rather, it’s a combination of letters that you somehow derive from the site name, and somehow insert into your usual password.
For example.
Let’s say you’re creating a Hotmail account and you need to come up with a password. Your usual password is ‘monkey7’. But rather than just typing that in, you alter ‘monkey7’ with some characters that are unique to the site you’re visiting.
Maybe it’s the first two letters of the site name. Maybe it’s the first letter and the last letter, or the first and third letters. Whatever it is, pick a scheme and stick to it.
Let’s say you’ve chosen the first and third letters, and you’re going to put it before the 7. Your Hotmail password is now ‘monkeyht7’. Your Amazon password is ‘monkeyaa7’. Your Yahoo password is ‘monkeyyh7’. You get the picture.
Don’t use this exact scheme. Come up with your own. If everyone is using the same salting method, then it’s easy to crack, but with hundreds or thousands of salting algorithms, your password is reasonably safe.
Note that reasonably is relative. This is not super-secure – it’s hardly secure at all – but it is definitely more more secure than using the same password everywhere, and it’s easy to do.
Happy Salting.
February 19th, 2006 at 12:09 am
Good advice.
What I do, however, is to use a password manager program, which generates distinct strong passwords for each website and remembers them for me. I like KeePass, http://keepass.sf.net, but there are a number of such programs out there.
February 19th, 2006 at 9:47 am
The reason I don’t like programs like that is if I lose my password database, I’ve lost access to everything. Plus, it means that all your passwords are stored on your computer, so if someone breaks into your network (or steals your computer), you’re completely vulnerable. With this sort of salting algorithm, the password is in my head, yet it’s still unique for every site.
February 20th, 2006 at 1:58 am
Well written and very good advice. I was not aware of the emergent problem of such password-abusing social networking sites, though the trick has been around for a long time! Salting is an excellent security practice, and really should become a part of common Internet safety. You give a good suggestion to choose letters at certain indexes, though I would suggest going a bit further, with more (4-5) unique letters in the password. That way, if one guesses the use of a salt, they will have a much harder time at cracking it. Nice post, I’ll be linking to it in my own blog.
February 20th, 2006 at 2:13 am
Internet Smarts: Password Salting…
Do you use salted passwords? Or are you currently asking yourself if you have heard the term before?
If so, do yourself (and your identity) a favor and take a look at SteveX’s “Common Password Salting,” a nice, succinct writeup on …
September 14th, 2006 at 2:33 am
The problem of loosing the database is a good point, but when you’re working in companies where any one of a number of techies could change the password then you get into trouble because your salting method will be different from the next guys, and that’s where problems start.
I’ve been working on a multi-user web based password safe which means theres only one database to backup/replicate for all of the IT department, and from the number of companies purchasing it I’d guess it’s the way things will go.
btw, if you’re interested the product is at http://www.argosytelcrest.com/eps.html
June 5th, 2007 at 3:52 am
This is very useful information for any web user, it is very safe and secure to use these tricks for user names and passwords. Definitely it will help to keep u r accounts safe and secure.
November 6th, 2007 at 8:26 pm
This is sometimes tricky to implement as password requirements can vary drastically from site to site. One site may not allow anything outside alphanumeric characters while another requires some form of punctuation. I have even come across some that want either a maximum number of characters or an exact number of characters in length (sad but true).