(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 10, No. 11, 2019 420 | Page www.ijacsa.thesai.org Analysis of Password and Salt Combination Scheme To Improve Hash Algorithm Security Sutriman 1 , Bambang Sugiantoro 2 Master of Informatics Department Sunan Kalijaga Islamic State University Yogyakarta, Indonesia Abstract—In system security, hashes play important role in ensuring data. It remains the secure and the management of access rights by those entitled to. The increasing power of hash algorithms, various methods, are carried out one of them using salting techniques. Salt is usually attached as a prefix or postfix to the plaintext before hashing. But applying salt as a prefix or postfix is not enough. There are so many ways to find the plaintext from the resulting cipher text. This research discusses the combination scheme other than the prefix and postfix between password and salt increasing the security of hash algorithms. There is no truly secure system and no algorithm that has no loopholes. But this technique is to strengthen the security of the algorithm. So that, it gives more time if an attacker wants to break into the system. To measure the strength generated from each combination scheme, a tool called Hashcat is used. That is the way known as the best composition in applying salt to passwords. Keywords—Security; hash; hashing scheme; salting; password I. INTRODUCTION Hash is an algorithm that changes the string becomes a series of random characters. It is also called a one-way function, or one-way encryption because it is only able to do encryption and does not have a key to decrypt. It works by accepting input strings that are arbitrary in length then transform it in a string of fixed length which is called hash value [1][2][3][4]. Hash is often used to provide security to the authentication process. An authentication is a process of ensuring a property is genuine, verifiable and trustworthy; deep conviction the validity of the transmission, message, or sender of the message. It verifies that the user should input entered from the system coming from a trusted source [1]. Authentication is one of several concepts needed to ensure the security of a system. Authentication along the accountability is the additional concept needed to support the CIA Triad. CIA Triad is a concept very well-known as the security, named the Confidentiality, Integrity, and Availability [1][5]. CIA triad is the basic model of Information Security and there exist other models that have the attributes of the CIA triad in common [6]. Despite the use of the CIA to determine goals security is well established.A few in the security sector feels that the additional concept is needed to present the picture completely [1]. Authentication is a very important process because besides maintaining information from unauthorized users. It also maintains the integrity data [7][8]. The use of algorithms and hashing techniques is needed to help the authentication process so that they can minimize the occurrence of broken data by the attacker. The authentication process utilizes the use of algorithms hash including the authentication of login (password), authentication file authenticity, password storage, key generation, pseudorandom number generation, authentication of tokens on services in a distributed system, digital signature, etc. [9]. In information systems, a hash is used for the authentication login process. Passwords are changed using certain hashing methods thus producing unique characters later stored in the database. Some common hash functions used include MD5 and SHA1 [3]. A message digest (MD) is the code which is created algorithmically from the file and represents that file uniquely. If the file changed, the message digest will change [10]. Message Digest describes the mathematical function that can take place on a variable-length string. The number five (5) simply depicts that MD5 was the successor of MD4. MD5 is essentially a checksum that is used to validate the authenticity of a file or a string. It is one of the most common uses [11]. The MD5 algorithm exhibits a lot of weaknesses such as its vulnerabilities to different attacks such as rainbow table, dictionary, birthday, etc. [12]. SHA is a series of cryptographic hash functions designed by the National Security Agency (NSA). The weakness in SHA family originated from this fact that possibility of two different input value will produce the same output value in the middle of algorithm and it is important to have a good diffusion. So, the output in each round will be spreaded out and not to be equal with the same output in the next coming stages [13]. MD5 and SHA1 are hash algorithm that do not recommend. MD5 and SHA1 have many vulnerabilities which allow attackers to easily get the system user password by knowing the hash value. A new hash algorithm appears as time progresses with better security than the previous algorithm, among them are SHA2, SHA3, BCrypt, and others. Along with the development of the era, no doubt the new algorithms even the vulnerability of attackers will be found. The use of hashes in the authentication process actually can reinforce by adding salt to the plaintext password before the hashing process is carried out. Salt in the cryptography is a