In an era where data breaches frequently dominate technology news, we often hear about emails and passwords being exposed. But what exactly is a hashed password? How does it differ from a non-hashed one? This guide delves into these questions and more, providing a clear understanding of password hashing and its role in cybersecurity.
Understanding Passwords
Passwords have become ubiquitous in both the tech world and everyday language. From accessing your email account to stories about hidden treasure in children’s books, the use of passwords is so common that we rarely pause to consider what they truly are—let alone the concept of password hashing.
A password is technically defined as a string of characters—letters, numbers, and symbols—used to authenticate identity, verify access authorization, or derive encryption keys. While most users are familiar with entering passwords to access websites and accounts, securely managing these credentials is more challenging.
As a user, it is essential to never reuse passwords, always choose strong passwords, and update them periodically. One effective way to create and manage unique, secure passwords across all accounts is by using a password manager. Incorporating a password manager into your personal privacy practices places you ahead of many internet users who haven’t yet adopted this crucial step.
Unfortunately, you cannot fully protect yourself, as the services you register with handle your login credentials. This is where data breaches come into play. News reports often mention that "data breaches include usernames, dates of birth, email addresses, phone numbers, and password hashes." While most of these terms are straightforward, the last one can be confusing. To clarify, let’s explore how companies and online services manage the data you submit when creating a new account.
The Challenge of Secure Password Storage
Imagine you are running a growing online forum. As more people register for your service, you need a secure method to protect user login information. After all, if someone steals their credentials, your users will be unhappy.
To better understand this, consider what happens when you attempt to log in to a website. You visit the login page in your browser, enter your username or email address and password, and click "Login." What happens next is a bit more complex.
When you create a password, it should not—and hopefully is not—stored in plaintext by the service. If a service stores passwords in plaintext, your login credentials could be exposed if the service is compromised. Instead, your password should be hashed, and the resulting hash value stored in a secure database maintained by the service. When you log in, the email address and password hash you submit are compared with the information stored in the database. If they match, you gain access to your account. However, if hackers obtain the hash, they cannot use it to log in, as it is not the actual password.
👉 Explore advanced security strategies
What Is Password Hashing?
Password hashing is the process of transforming a user-created password using a hash algorithm, resulting in a unique representation of the original password. Without knowing the password, it should be nearly impossible to reproduce the exact same hash.
There are various types of hash algorithms, but they all perform a similar function. They take a plaintext password—which is treated as a string of data of arbitrary length—and convert it into a fixed-length string of bits using a hash function. This process is deterministic, meaning the same password will always produce the same hash. The resulting hash is then stored in a secure database.
It is important to remember that hashing is not the same as encryption. There is no key to decrypt a hash. Hashing is a one-way process: you can convert plaintext to a hash, but you cannot reverse the process. For a culinary analogy, think of a potato as plaintext. Hashing it turns it into a plate of hash browns—the hashed output. Just as you cannot turn hash browns back into a whole potato, you cannot revert a hash to its original password.
Hash functions are one-way. Unlike encryption, they do not generate a key to return the original plaintext.
When people talk about cracking passwords, they are not "decrypting" anything. Instead, they create their own list of hashes from commonly used passwords and compare these with the information leaked in a data breach. This becomes a cross-referencing exercise requiring basic logic rather than deep cryptographic knowledge.
What Is Salted Password Hashing?
Earlier, we mentioned salted hashing. Salting involves adding random data to the input before it is processed by the hash algorithm. Since each password has a unique salt, this prevents attacks that use precomputed hash tables. Even if the salt is included in a data breach, attackers must precompute values for each individual salt, making the attack significantly more resource-intensive.
Additionally, without salting, if two users use the same password, the hash values in the database will be identical due to the deterministic nature of hash algorithms. With salting, even identical passwords produce different outputs, preventing hackers from quickly identifying accounts with the same password.
Salting not only makes food tastier but also strengthens password hashes!
Encryption salts can be derived from usernames or other unique identifiers specific to each account. Uniqueness is key here, as it makes precomputed table attacks computationally infeasible.
Common Attacks and Vulnerabilities
While hash algorithms are powerful, they are not perfect. Cryptographers design these functions with known attacks in mind.
Birthday Attacks
Every cryptographic hash algorithm is vulnerable to birthday attacks. These attacks exploit the mathematical probability behind the birthday problem. Fortunately, such attacks are generally no faster than brute-force methods.
Collision Attacks
A collision attack occurs when two different passwords (plaintext strings) produce the same hash value when processed by a hash algorithm. This is problematic because it means an incorrect password, when paired with the correct username, could grant access to an account.
If a collision attack is found to be faster and more efficient than a birthday attack, the hash function is considered broken and should be replaced with a more resilient algorithm.
Brute-Force Attacks
Brute-force attacks are a potential vulnerability in every cryptographic system. Given unlimited time and computational power, any hash can be cracked. As such, they serve as a benchmark for evaluating the severity of other vulnerabilities. If an attack is determined to be faster than brute-forcing, the algorithm must be patched or abandoned.
Popular Hashing Functions
Several cryptographic hash algorithms have been developed, each with unique strengths and weaknesses. Unfortunately, some of the most widely used algorithms have proven vulnerable, yet they still appear in data breaches.
- MD5: Considered obsolete, MD5 was developed in 1991 by MIT professor Ronald Rivest as a replacement for MD4. It produces a 128-bit hash but was quickly found vulnerable to collision attacks. Researchers demonstrated in 2013 that the algorithm is no longer secure and should be replaced. Despite this, MD5 hashes continue to appear in data breaches, potentially exposing user data.
- SHA Algorithms: The recommended replacement for MD5 came from the Secure Hash Algorithm family. SHA-1, developed by the NSA and released in 1995, produces a 160-bit hash. By 2005, it was deemed unsafe against advanced threat actors, particularly for digital signatures. SHA-2, released in 2001, officially replaced SHA-1 in 2011 when NIST introduced new minimum security requirements. Due to lack of backward compatibility, SHA-2 adoption was slow. More recently, SHA-3 was released in 2015, featuring a structure entirely different from its predecessors. Both SHA-2 and SHA-3 support hash lengths from 256 to 512 bits, depending on the configuration.
- Bcrypt: Introduced in 1999, bcrypt is a password hashing algorithm that incorporates default salting and adaptive features. This means it can continue to resist brute-force attacks over time. Bcrypt is based on the Blowfish cipher developed by Bruce Schneier.
- Argon2: Argon2 was the winner of the 2015 Password Hashing Competition. It is resistant to side-channel attacks and features memory hardness, making it more resilient against brute-force attacks than bcrypt.
👉 Discover robust encryption tools
Frequently Asked Questions
What is the main purpose of password hashing?
Password hashing protects user credentials by converting plaintext passwords into irreversible hash values. This ensures that even if a database is breached, attackers cannot easily retrieve the original passwords.
How does salting improve password security?
Salting adds unique random data to each password before hashing, preventing attackers from using precomputed hash tables. It also ensures that identical passwords produce different hashes, enhancing overall security.
Can hashed passwords be decrypted?
No, hashing is a one-way process. There is no mathematical way to reverse a hash back to the original password. Attackers typically use methods like brute-forcing or rainbow tables to guess passwords.
What is the difference between hashing and encryption?
Encryption is a two-way process that uses a key to convert plaintext to ciphertext and back. Hashing is a one-way process that converts input into a fixed-length string, which cannot be reversed.
Why are some hash algorithms like MD5 still used?
Despite known vulnerabilities, older algorithms like MD5 persist due to legacy systems and slow adoption of newer standards. However, their use is strongly discouraged in modern applications.
What makes Argon2 a preferred hashing algorithm?
Argon2 is designed to be memory-hard and resistant to side-channel attacks, making it more secure against advanced brute-force techniques. It is widely recommended for new applications.
Conclusion
Password hashing is a fundamental aspect of modern cybersecurity, ensuring that user credentials remain protected even in the event of a data breach. By understanding the principles of hashing, salting, and common attacks, users and developers can make informed decisions to enhance security. Adopting robust algorithms like Argon2 and following best practices—such as using unique, strong passwords and leveraging password managers—can significantly reduce the risk of credential theft. As technology evolves, staying informed about cryptographic advancements remains essential for maintaining privacy and security online.