Password Hashing, Salts, Peppers | Explained!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Thanks. I knew what hashing was but never knew what salt was and I actually never heard of pepper.

👍︎︎ 11 👤︎︎ u/Rocky87109 📅︎︎ Dec 16 2016 🗫︎ replies

As usual I'm here to answer any questions.

👍︎︎ 3 👤︎︎ u/Seytonic 📅︎︎ Dec 16 2016 🗫︎ replies

So... a pepper (first time I've heard of that one!) is just a salt that isn't stored, and the authentication process involves essentially brute force itself to a very minor degree to determine the proper pass (+pepper)?

Great video - succinct and informative, thanks!

👍︎︎ 3 👤︎︎ u/dlayknee 📅︎︎ Dec 16 2016 🗫︎ replies

Really enjoyed this video, thanks!

👍︎︎ 3 👤︎︎ u/GoldenPresidio 📅︎︎ Dec 17 2016 🗫︎ replies

U are awesome! Great stuff. I enjoy watching your videos and love how clean they are. I would actually love to see more of your "educational" videos! Keep it up :)

👍︎︎ 2 👤︎︎ u/iGRB130427A 📅︎︎ Dec 16 2016 🗫︎ replies

subscribed

👍︎︎ 2 👤︎︎ u/CookieTromster 📅︎︎ Dec 16 2016 🗫︎ replies

A rainbow table is a little more complex than you described, what you describe in your video is a hash table.

👍︎︎ 2 👤︎︎ u/PUSH_AX 📅︎︎ Dec 17 2016 🗫︎ replies
Captions
in recent videos I've been using the terms hash salt and pepper bit so I thought it would be a good idea to explain what they are a hashing algorithm is a complex mathematical function that transforms a stream of data into a seemingly random output string of fixed length for example these words produce the following hashes the same input string will always produce the same output string but if the input string has changed even by just a single character then the output string will be entirely different usually encryption means to scramble data temporarily until a key is used to unscramble it hashing is often seen as a form of one-way encryption as you cannot go backwards from a hash to work out the original string you can only go forwards this is great for storing passwords instead of storing the actual password the hash of the password is stored when a user enters their passwords at login it is hashed and compared to the hash in the database if they're the same then the login is successful this way if an attacker gains access to the database they'll only have the hashed passwords which in theory will be of no use to them as they won't be able to go backwards to figure out their original password however in practice it's a bit more complicated there are a few ways an attack can go about decoding hash firstly since a certain password will always produce the same hashed output the most commonly used password hashes are widely known this website will attempt to decode a given password hash by simply comparing it to their database with over 800 billion hashes so if you use a common password then you're screwed this websites database is an example of a rainbow table a rainbow table simply put is a database containing common passwords and their hashes secondly you can attempt to go through and just guess the original password hash it and compare it to the hash you're trying to decode if it's the same well then you found your password you can do this through a dictionary attack guessing common passwords or a brute-force attack guessing every possible combination of characters the latter is very computationally expensive and can take a long period of time so hashing by itself just isn't enough to protect passwords websites can further protect passwords by using salts salts are short random set of characters that are appended to the ends of a use passwords before they are hashed this will most likely thwart any rainbow table attack as our cats are cool maybe in a database cats are cool P hash close bracket exclamation mark said probably isn't do remember salts are added automatically after a user enters their password the user won't even know assault is being used salts are generally stored in plain text along with a hashed output so the website knows what salt to use when it comes to verifying a login this may seem counterintuitive as you're telling an attacker half the passwords and you're right brute force and dictionary attacks will still be an issue assuming the attacker takes into account the salt and those were about to put it in his guesses however importantly rainbow tables will be of no use finally there are peppers a pepper is a very short random string or character for simplicity let's say in this case a pepper is a single upper or lowercase letter for example uppercase M so the hash stored will be the product of hashing the users passwords plus the letter M so if the password is cats are cool the hash storage will be the hashed product of cats or call em when a user comes to login the password they'll give is just cats are called like with the salt they won't know a pepper is being used at all the websites will then cycle through every possible combination of the pepper in this case of upper and lowercase letters there are 52 combinations so the websites will try hashing cats are cool a cats are called B and so on until it gets to cats oh cool M if one of the hashes matches the stored hash then the user is allowed to login the whole point of this is that the pepper is not stored so if an attacker wanted to crack the password by brute force it would take them 52 times longer than without the pepper this would be a bit tedious for them conversely it would take 52 times longer to blog in for the user but this isn't going to be an issue for the genuine user as it only takes a fraction of a seconds to hash something so 52 fractions of a second really isn't too long to wait in conclusion there are many different hashing implementations many websites will use a combination of both salts and peppers in this video I've only used the md5 hashing algorithm but keep in mind there are many other hashing algorithms out there so thanks for watching guys this was a more educational video over my usual stuff but yeah if you liked it remember to hit that like button subscribe if you haven't already follow me on twitter i'm at a tonic and stay tuned for more hacking videos
Info
Channel: Seytonic
Views: 161,682
Rating: undefined out of 5
Keywords: hacking, hack, hacker, pentester, hak5, rubber ducky, programming, c++, howto, tutorial, diy, make, kali, technology, tech, mobile, computer, science, computer science, hashing, salt, hash, password, pepper, algorithm, encryption, md5, sha1, sha, md, encrypting, hashkiller.co.uk, hashkiller, salting, hashes, how to, what is, explain
Id: --tnZMuoK3E
Channel Id: undefined
Length: 4min 29sec (269 seconds)
Published: Fri Dec 16 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.