Password hashing is an essential part of password security. It is an effective and irreversible way to turn your passwords into unintelligible strings of random characters for secure storage and authentication. Without hashing, all passwords in a breached database can be used by cybercriminals for malicious purposes. Hashing significantly reduces such risks.
In this article, you will find detailed explanations of what hashing is, how it works, how it is different from data encryption, and why it is important for password security. I will also share some general password security tips and debunk some myths about passwords and password hashing.
What is password hashing?
Password hashing is a password protection method that converts a plaintext password into a string of random characters. Hashing is a one-way process, meaning it’s irreversible: once a password has been hashed, you can’t access, interpret, or reverse-engineer the original text. This is the main reason why on many websites you can reset your password (overwrite the hash for a previous password), but never recover the old one.
The random character strings (hashes) into which a password gets converted are also fixed-size (length), usually 160, 256, 512, or more bits. This is useful for several reasons. Fixed-size hashes are more convenient to index and store, but they also further prevent attempts to reverse the password to its original form.
A hash algorithm will produce the same hash for the same input, which is why hashing is especially useful for password protection. When a user enters their password, an algorithm converts it to a hash. If it matches the stored hash of the correct password, the user will be logged in. Thus, there is no need to store plain-text passwords as the login operation is secure.
There are many popular hash functions (algorithms) used today. Some of them are SHA-2, BCrypt, and PBKDF2.
Why is password hashing important for data security?
Hashing is crucial for data security for any platform, company, or website that deals with user passwords and authentication. A database storing passwords can be breached at any time, for any reason, by any means, putting both the company’s and the users’ data at risk. If the passwords are hashed, the security risks are significantly lower.
For example, the biggest password leak as of today RockYou2024, revealed nearly 1 billion plaintext passwords. These passwords could then be used for malicious attacks. For example, a recent Ticketmaster breach and a wave of attacks on other companies were likely the result of a credential stuffing attack against a third-party company, using plaintext passwords.
The initial RockYou2024 leak could’ve been at least partially prevented, or at least lesser in scale if databases from which the plaintext passwords were stolen would have used a hashing algorithm. Hashed passwords are significantly more difficult to use in a subsequent attack since they can’t be reversed.
Although there are several ways to execute an attack with hashed passwords the list is much shorter than with plaintext passwords. Common hash attacks include pass-the-hash, dictionary, rainbow/lookup tables, birthday, and others.
Understanding hashing vs encryption
Encryption and hashing have some similarities as ways to protect plaintext data – they both use algorithms to convert plain text into unintelligible strings of characters. However, there is one main difference between hashing and encryption. Encryption is a two-way process, therefore reversible, while hashing is not. This means that an encrypted message can be decrypted using a special decryption key.
While hashing is mainly used for password storage and protection, authentication, digital signatures, and file and document management, encryption has a wider range of applications. It is used for secure data transfer over various systems, including the internet, when both sides need to be able to read the original message.
For example, your everyday messaging app such as WhatsApp uses end-to-end encryption. This means that every message you send is encrypted, and then transferred over the internet to your recipient in this encrypted form. The recipient’s device then uses a decryption key to convert the message back to human-readable form. Thus, if someone intercepts your messages along the way, they won’t be able to read or modify them without a decryption key, not even WhatsApp.
How does salting improve password security?
Hashing makes password storage more secure, but the passwords are still vulnerable to attacks such as a dictionary, rainbow table, and similar attacks that rely on dictionaries of plaintext passwords and their hashed equivalents.
For better security, you should salt your hash: salting is a process or a function that adds additional randomized characters – or salt – to a password. That way, when a password with salt is hashed, the hash won’t match any items in a dictionary or a rainbow table that might be used in an attack. Additionally, if the database contains the same passwords multiple times, salting helps differentiate and better protect them.
Top hashing algorithms and how they work
There are many popular hashing algorithms that cybersecurity experts can choose from when implementing password storage security. Below are two of the most well-known and widely used hashing algorithms.
SHA-2
SHA-2 is a collection of hashing algorithms, each differentiated by the size of the output string (in bits). For example, there are SHA-224, SHA-256, SHA-384, and SHA-512 algorithms. The size of the output hash matters because the longer it is, the more secure it is. However, the longer the output, the more computational power it requires.
The SHA-2 algorithm collection was created and first published by the National Security Agency (NSA) in the US. It is one of the most widely used hashing algorithms, and in some places, legally required to be used for password protection and storage.
Bcrypt
Bcrypt is another popular hashing algorithm, specifically designed for password hashing and therefore more secure. Bcrypt also includes a salting function, so the passwords are salted before they get hashed. This reduces Bcrypt’s vulnerability to both brute-force and rainbow table attacks.
However, because of the added salting, Bcrypt is slower and more computationally demanding.
Argon2
Argon2 is a function for key derivation and won the 2015 Password Hashing Competition. It was designed by three cryptographers from the Luxembourg University. Like Bscrypt, it is made to intentionally be slow, as this helps with countering attacks.
Other hashing algorithms
There are more hashing algorithms than the ones above. Some of them, like SHA-1 or MD5, are obsolete and no longer in use. With various attack strategies constantly being developed, these hashing algorithms no longer meet security standards. Even Bcrypt, having been in use for more than 20 years and still secure, is being replaced by more modern versions such as Scrypt, Argon2, and others.
Best practices for secure password storage
No matter if you’re just a regular person or a cybersecurity expert with a task to securely store and manage passwords, there are some secure password storage practices that should be followed:
- Use strong hashing algorithms like Bcrypt or SHA-2 to ensure that your passwords are under the best protection and vulnerable to very few attacks.
- Implement salting and peppering to increase security. Salting will add a unique set of random numbers to a password and make the hash less vulnerable to dictionary or rainbow table attacks. Peppering has a similar function. The main difference from salt is that pepper value is secret (stored separately from hashed passwords) and doesn’t change per password or database.
- Regularly update security methods, protocols, and password policies. With various attacks evolving every day, it’s important to stay up to date and change your password usage and storage practices to avoid data breaches and password leaks.
- Create strong passwords. There are numerous password generators out there, and most password managers also offer their own. The more complex the password, the less likely it is to be found out and leaked.
- Use a reliable password manager. The best password managers not only store your passwords in a safe environment but also include features like secure sharing, powerful password generators, and more.
Common misconceptions about password security
We all use passwords in our daily lives and probably like to think that we know a thing or two about password security. And we might! However, it is still beneficial to check whether the things you think you know are true and update your passwords and online practices accordingly. So, here are some common myths about password security:
Myth 1. Password hashing is unbreakable
Password hashing is an essential password security practice; however, it is not immune to attacks. As mentioned in the above sections, there are plenty of hash attacks such, as a dictionary, rainbow table, or birthday attacks, that can be successful against hashed passwords.
Using algorithms specifically designed for password hashing and introducing additional functions like salting and peppering can reduce the risks of a hash attack.
Myth 2. Password hashing prevents phishing attacks
Phishing is a social engineering attack and rarely has anything to do with the technical sides of password security, such as hashing. Phishing is a manipulation tactic that, if successful, will make you reveal your personal information and plaintext passwords anyway.
Myth 3. Numbers and special characters automatically make a password secure
While numbers and special characters definitely do add to a password’s security by introducing complexity, simply putting “123” or “???” at the end of “password” is not enough. The key to a good password is not only the symbols, numbers, and capital letters. The most important thing when creating a password is avoiding a pattern, such as word + number + symbol. Patterns are easy to guess, especially for bad actors who use very complex tools to crack passwords.
Myth 4. A complex password is better than a long one
Complexity is crucial for a good password, but length is also important. That’s why most of the time sites ask you to create a password of at least 8 or 12 characters. Additionally, it’s more difficult to make a short password that is also complex. Therefore, don’t only rely on a jumble of 5 characters and create passwords that are also long.
Myth 5. It’s okay to reuse the same password
This one goes without saying – it’s not okay to reuse the same password. In fact, it is very dangerous. Just imagine, if a bad actor gets ahold of a password that you’ve been using for your email, social media, shopping sites, and work or school-related accounts. It will take them no time at all to get into all of your accounts with the same password, putting not only your personal information, identity, and financial security at risk, but also your workplace or school.
Conclusion
Password hashing is a process that, with the help of a hashing algorithm such as SHA-2 or Bcrypt, helps securely store and authenticate passwords. This is done by irreversibly turning them from plain text into strings of random characters. Some techniques, such as salting and peppering, make the hashed passwords even more secure and less vulnerable to attacks. However, while hashing is essential for storing passwords, it is not enough to secure your accounts. Creating strong passwords and regularly updating them is crucial in keeping your personal information safe online.
Further reading
Avoiding social engineering attacks: essential strategies for protection
Keeping your online communications private
Your email address will not be published. Required fields are markedmarked