What Is a Salted Password? You Need to Avoid Websites Without Salted Passwords in all Circumstances!
What are salted passwords? In the cryptocurrency space, when we start talking about your assets then security is one of our major concerns. It has come to our attention recently that many transactional platforms in South Africa do not have this feature. They are not doing their due diligence in regards to security and it all has to do with salted passwords. We are not talking about your run-of-the-mill table salt! Salted password is a cryptographic method of making sure things like your passwords are safer and more secure. We want to make sure you understand why it is important so that you can avoid any website without it.
What is Salting?
As a best practice, most platform services like ours will store a password after a process of encryption. Your password (which I hope is a super secure password) will go through a program which will scramble your password according to rules that the system will be able to decrypt but makes it harder for a malicious agent to work out. This does not make it foolproof and hackers can use processes like dictionary attacks to try to guess the password. Salting adds an additional string of characters which will also go through the encryption process and makes sure that such attacks are not effective anymore.
Why do we “Salt” a Password?
The process of salting passwords creates an extra layer that a malicious agent needs to crack before they can have full access to the password. It is pretty hard to break a hash but it is even harder if the password is salted. An extra layer of protection doesn’t double the difficulty for cracking the password, but it multiplies exponentially! When we can improve the security by so much, it would be ludicrous not to add it.
— Jane Scott (@JaneScott_) November 27, 2018
What Happens when there is no Salting?
When a malicious agent breaches a system, they can view all of the data which includes user logins and passwords. Without salting or basic encryption, they can gain access to all the user accounts using this and begin to wreak some havoc. When these systems involve anything of value like your finances or cryptocurrencies, these can incur enormous damages to the user. There are reports of some companies keeping passwords as plain text. Anyone with access, including people like staff members, had full access to the passwords in this case. Some customers report that some staff members of certain services have been sending their passwords in an email or message. The passwords are not salted if a member of staff can send them to you.
The malicious agent, either a legitimate user or a hacker, cannot access the user’s accounts as they cannot decrypt the salted passwords. Even the South African government ran afoul of this as recently as 2016. A hacker spread a leak of their data which shows that their passwords were not salted. These passwords were easy to crack for the whole world to see.
iCE3X Already has Salted Passwords
iCE3X has a 100% secure password management process. Not even a staff member at iCE3X can access your password, let alone a malicious hacker. We take your security seriously and in a perfect world, everyone else will too. We have always been a big proponent of two-factor authentication too which adds yet another layer of security. If security is a concern to you as well, be sure that you are not using any website without these. Let us know in the comments below if you have any experience with this. We hope that this has opened your eyes to some serious security issues in the wild. If you do come across this practice, please let the service provider know of your concerns via private communications. (Public announcement may put others at risk whilst the provider solves the problem) 🙂
Do you use any website which does not employ security best practice? Moreover, if you request your password, would your provider be able to send it to you?