Would re-salting passwords regularly in- decrease security

0 votes
I've been wondering about the impact of periodically changing the salt for stored passwords. If I were to re-salt and re-hash passwords at regular intervals, would this increase security, or could it introduce new risks?

For example, would re-salting improve protection against database leaks by making stolen hashes useless over time? Or could this break authentication systems that rely on password comparisons? I’d appreciate insights into whether re-salting is a recommended practice.
Feb 6 in Cyber Security & Ethical Hacking by Anupam
• 9,890 points 31 views

1 answer to this question.

0 votes

Regularly re-salting and re-hashing stored passwords—changing the salt and computing a new hash for the same password—does not significantly enhance security and may introduce unnecessary complexity.

Understanding Salting and Its Purpose

Salting involves adding a unique, random string (the salt) to a password before hashing it. This ensures that even if two users have the same password, their hashed values differ due to distinct salts. Salting primarily serves to:

  • Prevent Rainbow Table Attacks: Attackers use precomputed tables of hash values to crack passwords. Unique salts make these tables ineffective, as each password hash becomes unique.

  • Ensure Unique Hashes: Identical passwords result in different hashes, preventing attackers from identifying common passwords in a database.

Evaluating the Practice of Re-Salting

Once a password is salted and hashed securely, re-salting it periodically offers minimal security benefits:

  • Limited Impact on Security: If an attacker gains access to the hashed passwords, having multiple hashes of the same password with different salts doesn't significantly increase security. The attacker can still attempt to crack each hash individually.

  • Unchanged Attack Complexity: Re-salting doesn't increase the computational effort required for an attacker to crack a single password hash. The primary defense remains the strength of the hashing algorithm and the complexity of the password itself.

Potential Risks and Considerations

Introducing regular re-salting can lead to:

  • System Complexity: Implementing periodic re-salting adds complexity to the authentication system, increasing the potential for errors.

  • Consistency Issues: Ensuring that password hashes remain consistent across distributed systems or during synchronization processes becomes more challenging with frequent re-salting.

Recommended Best Practices

Instead of focusing on re-salting, consider the following practices to enhance password security:

  • Use Strong Hashing Algorithms: Employ algorithms like bcrypt, scrypt, or Argon2, which are designed to be computationally intensive, thereby slowing down brute-force attacks.

  • Implement Unique Salts: Generate a unique, random salt for each password when it's first created or changed.

  • Encourage Strong Passwords: Promote the use of complex and lengthy passwords among users to increase resistance against attacks.

  • Monitor and Update Hashing Strategies: Stay informed about advancements in cryptography and update your hashing methods as needed to address emerging threats.

answered Feb 10 by CaLLmeDaDDY
 • 16,200 points

Related Questions In Cyber Security & Ethical Hacking

0 votes
1 answer

What degree do I need for working in the cyber security domain?

While it’s possible to find certain entry-level ...READ MORE

answered Jan 29, 2020 in Cyber Security & Ethical Hacking by Sirajul
 • 59,230 points 1,290 views
0 votes
0 answers

What is the referent object in contemporary cyber security?

Nov 25, 2021 in Cyber Security & Ethical Hacking by Error
 • 420 points 780 views
0 votes
0 answers

How do we define radius in cyber security?

Dec 9, 2021 in Cyber Security & Ethical Hacking by Error
 • 420 points 572 views
0 votes
0 answers

What is vulnerability in cyber security?

Dec 10, 2021 in Cyber Security & Ethical Hacking by Aditi
 • 300 points 846 views
+1 vote
1 answer

How do you decrypt a ROT13 encryption on the terminal itself?

Yes, it's possible to decrypt a ROT13 ...READ MORE

answered Oct 17, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 16,200 points 331 views
+1 vote
1 answer

How does the LIMIT clause in SQL queries lead to injection attacks?

The LIMIT clause in SQL can indeed ...READ MORE

answered Oct 17, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 16,200 points 388 views
+1 vote
1 answer

Is it safe to use string concatenation for dynamic SQL queries in Python with psycopg2?

The use of string concatenation while building ...READ MORE

answered Oct 17, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 16,200 points 238 views
+1 vote
1 answer

How can I use Python for web scraping to gather information during reconnaissance?

Python is considered to be an excellent ...READ MORE

answered Oct 17, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 16,200 points 220 views
+1 vote
1 answer

What techniques can I use in Python to analyze logs for potential security breaches?

To analyze logs for potential security breaches, ...READ MORE

answered Oct 23, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 16,200 points 183 views
+1 vote
1 answer

Which is a better choice for hashing sensitive data like passwords in a Node.js app: PBKDF2 or Argon2, and why?

When choosing between PBKDF2 and Argon2 for ...READ MORE

answered Nov 6, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 16,200 points 276 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP
"PMP®","PMI®", "PMI-ACP®" and "PMBOK®" are registered marks of the Project Management Institute, Inc. MongoDB®, Mongo and the leaf logo are the registered trademarks of MongoDB, Inc.