What is the Effectiveness of Salt and Pepper in Preventing Rainbow Table Attacks in Modern Password Hashing Algorithms?

Niyaa Meganathan1

1

Publication Date: 2024/09/17

Abstract: Password security remains a critical concern in the digital age, as attackers continuously evolve their techniques to crack password databases. Among the most effective defenses against these threats are salt and pepper, two cryptographic techniques used to enhance password hashing security. Salt introduces unique, random values to each password, ensuring that even identical passwords result in different hashes, while pepper adds a hidden system-wide secret to further complicate attacks. This paper explores how salt and pepper work together to defend against rainbow table attacks, significantly increasing the complexity for attackers attempting to reverse-engineer password hashes. While these techniques provide strong protection, they are not foolproof and must be paired with additional security measures such as key-stretching algorithms and multi-factor authentication (MFA) to offer comprehensive defense. The paper also examines the limitations of salt and pepper and suggests future advancements, such as post-quantum cryptography and passwordless authentication, as potential pathways to further improve password security.

Keywords: Salt, Pepper, Rainbow Table Attacks, Password Hashing, Cryptographic Security, Key-Stretching Algorithms, Multi-Factor Authentication, Passwordless Authentication.

DOI: https://doi.org/10.38124/ijisrt/IJISRT24SEP406

PDF: https://ijirst.demo4.arinfotech.co/assets/upload/files/IJISRT24SEP406.pdf

REFERENCES

  1. Ferguson, Niels, et al. Cryptography Engineering: Design Principles and Practical Applications. Wiley, 2010.
  2. "Cryptography and Network Security: Principles and Practice." Pearson, 2017.
  3. Greenberg, Andy. "The Untold Story of the 2013 Adobe Hack." Wired, 7 Nov. 2013, www.wired.com/story/adobe-hack-2013-the-untold-story/.
  4. "LinkedIn Breach: What Happened and What to Do." Kaspersky, 2012, www.kaspersky.com/blog/linkedin-breach-2012.
  5. "Salt and Pepper in Cryptography." Cryptography and Network Security Basics, CryptoSec, www.cryptosec.com/salt-and-pepper-cryptography. Accessed 5 Sept. 2023.
  6. Katz, Jonathan, and Yehuda Lindell. Introduction to Modern Cryptography. 2nd ed., CRC Press, 2014.
  7. Menezes, Alfred J., et al. Handbook of Applied Cryptography. CRC Press, 1996.
  8. Paar, Christof, and Jan Pelzl. Understanding Cryptography: A Textbook for Students and Practitioners. Springer, 2010.
  9. Anderson, Ross. Security Engineering: A Guide to Building Dependable Distributed Systems. 3rd ed., Wiley, 2020.
  10. "Adaptable Password Scheme." USENIX Annual Technical Conference, FREENIX Track, 1999.
  11. "LinkedIn Breach Highlights Importance of Salting Passwords." Kaspersky, 2012, www.kaspersky.com/linkedin-breach-highlights.
  12. Beurdouche, Benjamin, et al. "Securing Password Hashing with Salt and Pepper." USENIX Security Symposium, 2019.
  13. "Recommendation for Password Management." NIST Special Publication 800-63B, National Institute of Standards and Technology, 2019.
  14. Provos, Niels, and David Mazières. "A Future-Adaptable Password Scheme." USENIX Annual Technical Conference, FREENIX Track, 1999.
  15. Aumasson, Jean-Philippe, and Samuel Rompel. "Argon2: Memory-Hard Password Hashing." Journal of Cryptology, vol. 32, no. 1, 2019, pp. 18-44.
  16. Bonneau, Joseph, et al. "The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes." IEEE Symposium on Security and Privacy, 2012, pp. 313-328.