Salt on Passwords, Salted Passwords, Salting Passwords

uwalakab
uwalakab
Community Member
edited July 2019 in Lounge

I have a feeling that someone may have already mentioned this but I read an article on Salting Passwords.
It may sound like overkill and paranoia, but imagine if the password stored in 1password was **NOT ** the exact and correct password.
Imagine the scenario....
1Password has say 16 salting algorithms. Say algorithm 1 adds a random character at the beginning and end of the password.
(i.e. "P455w0rd" becomes "#P455w0rd$").
This technically means that the password stored is NOT the correct password, and when autofill kicks in it calls upon the corresponding salting algorithm to paste the correct password, or whenever you go to edit it.
Should a cache or database ever be compromised (which should never happen) the password(s) stored are not the exact ones, giving the victim some peace of mind that the resting (stored) password is NOT the actual one.

(I'm sure you can argue that encryption already does this to some degree.)


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited July 2019

    @uwalakab: Indeed, encryption already protects all of the data you store in 1Password, and that's much more effective than simply salting and/or hashing. After all, more and more website breaches demonstrate this because when the passwords they store are not encrypted, but rather salted/hashed, it's much easier to reverse that; what results is large databases of passwords being dumped online in plaintext. It is trivial for automated tools to try permutations of numbers/symbols in place of letters (and vice versa), so that doesn't offer any real security (though I suspect you know that and were just using that as an easy-to-understand example). There are dictionaries for these things, and tables of precalculated hashes as well.

    With 1Password, you've got no only the benefit of being able to use as strong of a password as desired, of your choosing, so you have control over your security; but 1Password also slows down brute force attacks using PBKDF2, to create more work for each guess the attacker makes.

    Finally, and perhaps most importantly, passwords themselves are never stored by 1Password; only encrypted data is, and only you have the "keys" to decrypt it. So even with your encrypted data on the server so that you can access it seamlessly across all your devices, an attacker breaking into it would get neither plaintext "salted" or transformed passwords nor password hashes; they'd get only an encrypted blob, and none of what they'd need to decrypt it.

    On the other hand, salting an hashing passwords is really important when there is little or no other security, as is the case with most websites: they store your password so they can compare it to what you enter each time you visit; and authentication is how they prevent unauthorized access. The opposite is true of 1Password: encryption is what protects the data. not authentication.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • uwalakab
    uwalakab
    Community Member
    edited July 2019

    @brenty Many many thanks for your comprehensive and educational reply. :) You've answered my question. In essence, why add something extra when it's already catered for?
    When you mentioned about the dictionaries and databases of passwords I did not take that into account. We sometimes don't realise the extent that some password crackers will go to. ( #LiveAndLearn )
    Thanks again.

  • ag_ana
    ag_ana
    1Password Alumni

    @uwalakab, on behalf of brenty, you are very welcome! I am happy to hear he was able to clarify things for you.

    If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • uwalakab
    uwalakab
    Community Member

    Thank you @ag_ana ,

    Wishing you a lovely day and great weekend.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you! :+1: :)

This discussion has been closed.