Advanced Salt Considerations

2 min read Data Protection & Compliance

Advanced Salt Considerations

Salt migration strategies become important when upgrading password hashing systems. Simply appending new salts to existing hashed passwords provides no security benefit. Instead, implement transparent rehashing where passwords are upgraded to new schemes (with new salts) during successful authentication. This gradual migration maintains service availability while improving security.

Per-service salts add an additional layer of security for organizations managing multiple applications. While each password still needs its unique salt, adding a service-specific component ensures that password hashes remain incompatible across services even if users choose identical passwords. This approach prevents an attacker who compromises one service from using those hashes against another service.

class MultiLayerSaltSystem:
    """Advanced salting with service-specific components"""
    
    def __init__(self, service_name, master_key=None):
        self.service_name = service_name
        # In production, derive this from a hardware security module
        self.master_key = master_key or secrets.token_bytes(32)
        
    def generate_compound_salt(self):
        """Generate salt with service-specific component"""
        # Random per-password salt
        random_salt = secrets.token_bytes(16)
        
        # Service-specific component (not secret, just unique)
        service_component = hashlib.sha256(
            self.service_name.encode() + self.master_key
        ).digest()[:16]
        
        # Combine components
        return random_salt + service_component
    
    def hash_password(self, password):
        """Hash with compound salt"""
        compound_salt = self.generate_compound_salt()
        
        # Use Argon2 with compound salt
        ph = PasswordHasher()
        # Override default salt generation
        hash_raw = ph.hash(password + compound_salt.hex())
        
        # Store random salt part for verification
        return compound_salt[:16].hex() + '|' + hash_raw

# Example usage
auth_service = MultiLayerSaltSystem("auth.example.com")
api_service = MultiLayerSaltSystem("api.example.com")

password = "SharedPassword123!"

auth_hash = auth_service.hash_password(password)
api_hash = api_service.hash_password(password)

print("Same password, different services:")
print(f"Auth service: {auth_hash[:50]}...")
print(f"API service:  {api_hash[:50]}...")
print("Hashes are incompatible across services!")