DEV Community

Cover image for Password Hashing 101: All About Password Hashing and How it Works
Andy Agarwal for MojoAuth

Posted on • Originally published at mojoauth.com

Password Hashing 101: All About Password Hashing and How it Works

Most people have a love-hate relationship with passwords. On the one hand, we need them to keep our online accounts safe. But on the other hand, they can be hard to remember and easy to forget.

And then there are the security concerns. With data breaches becoming more common, it’s important to choose passwords that are strong and secure. But is that enough to secure passwords? But what does that mean, exactly?

In this article, we’ll take a look at what password hashing is and why it’s important. We’ll also give you some tips on how to choose strong passwords and keep them safe.

What is password hashing?

Password hashing is a process of using a hash function to convert a password into an unrecognizable series of characters. This makes it difficult for malicious actors to gain access to the password, as the characters are not easily decipherable. This string cannot be deciphered or converted back to the original password, thus allowing it to be stored securely in a database.

Encryption and hashing are two different terms used in cryptography and data security. Here hashing should not be confused with encryption. Encryption and hashing are two different processes but both are used to protect data by converting them to an unrecognizable series of characters so that data cannot be easily interpreted. Encryption scrambles the data using a key and converts a normal readable message into a garbage message or not readable message known as Ciphertext so that only people with the correct key can read the data. Encryption is used to protect sensitive data from unauthorized access and is very popular

Whereas hashing is a process of converting data into a fixed-length code. Hashing works by taking a large amount of data and running it through a mathematical algorithm, which results in a unique, irreversible, fixed-length code. It is used to verify the integrity of data and to ensure that data has not been modified.

The most important key thing to remember about hashing is that it is a one-way process. This is important for security, as it means that even if a hacker gets access to the database, they will not be able to see the passwords.

Example-

For example, the SHA256 hash of “Liman1000” is “1cde884c4ba81f70a4551714e89a94ca7f25c89c14eedc4b11b881a783bd1767”

Similarly,

the SHA256 hash of most common password “qwerty12345” is “f6ee94ecb014f74f887b9dcc52daecf73ab3e3333320cadd98bcb59d895c52f5”

History of password hashing

As early as the 1970s, computer scientists began exploring solutions to make passwords more secure, long before the emergence of the World Wide Web in the 1990s.

In the 1970s, Robert Morris Sr., a cryptographer at Bell Labs, developed the concept of “hashing”. This process takes a string of characters and converts it into a numerical code that represents the original phrase, thus eliminating the need to store the password itself in the password database.

This technology was adopted in early UNIX-like operating systems, which have since become a staple across a variety of mobile devices, workstations, and other systems, such as Apple’s macOS and Sony’s PlayStation 4.

Type of hashing algorithm

There are many different algorithms that can be used for password hashing. We have explained a few of them below.:

1. MD5 (Message Digest Algorithm 5): MD5 is a widely used hashing algorithm that is employed for digital signatures and other security-related applications. MD5 is an algorithm that produces a 128-bit hash value from an arbitrary length of data. This is a one-way cryptographic function, meaning that the original data cannot be derived from the generated hash. MD5 is an algorithm that is designed to be extremely difficult to reverse, making it useful for verifying the integrity of data.

2. SHA-1 (Secure Hash Algorithm 1): SHA-1 is a hashing algorithm that produces a 160-bit hash value from an arbitrary length of data. SHA-1 is an algorithm that is designed to be extremely difficult to reverse, making it useful for verifying the integrity of data. SHA-1 is widely used in many security applications, including digital signatures and message authentication codes (MACs).

3. SHA-2 (Secure Hash Algorithm 2): SHA-2 is a set of hashing algorithms developed by the National Security Agency (NSA). SHA-2 is an improvement over the SHA-1 algorithm and produces a 256-bit hash value from an arbitrary length of data. SHA-2 is an algorithm that is designed to be extremely difficult to reverse, making it useful for verifying the integrity of data. SHA-2 is widely used in many security applications, including digital signatures and message authentication codes (MACs).

4. SHA-3 (Secure Hash Algorithm 3): The SHA-3 family of hash functions consists of SHA3-224, SHA3-256, SHA3-384, SHA3-512, and SHAKE128/256, which produce hash values of varying lengths (224, 256, 384, and 512 bits, respectively). These algorithms are seen as more secure than SHA-2.

5. RIPEMD-160 (RACE Integrity Primitives Evaluation Message Digest): RIPEMD-160 is an algorithm that generates a 160-bit hash value from any amount of data. This hash is used to verify the integrity of the data and to protect it from changes. This algorithm is specifically designed to be extremely difficult to reverse, making it useful for verifying the integrity of data. RIPEMD-160 is widely used in many security applications, including digital signatures and message authentication codes (MACs).

6. BLAKE2 (BLAKE2s): BLAKE2 is a hashing algorithm that produces a 256-bit hash value from an arbitrary length of data. BLAKE2 is an algorithm that is designed to be extremely difficult to reverse, making it useful for verifying the integrity of data. BLAKE2 is widely used in many security applications, including digital signatures and message authentication codes (MACs).

7. Whirlpool: Whirlpool is a hashing algorithm that produces a 512-bit hash value from an arbitrary length of data. Whirlpool is an algorithm that is designed to be extremely difficult to reverse, making it useful for verifying the integrity of data. Whirlpool is widely used in many security applications, including digital signatures and message authentication codes (MACs).

8. Tiger: Tiger is a hashing algorithm that produces a 192-bit hash value from an arbitrary length of data. Tiger is an algorithm that is designed to be extremely difficult to reverse, making it useful for verifying the integrity of data. Tiger is widely used in many security applications, including digital signatures and message authentication codes (MACs).

9. Skein: Skein is a hashing algorithm that produces a 512-bit hash value from an arbitrary length of data. Skein is an algorithm that is designed to be extremely difficult to reverse, making it useful for verifying the integrity of data. Skein is widely used in many security applications, including digital signatures and message authentication codes (MACs).

10. HMAC (Hash-based Message Authentication Code): HMAC is a hashing algorithm that produces a 128-bit hash value from an arbitrary length of data. HMAC is an algorithm that is designed to be extremely difficult to reverse, making it useful for verifying the integrity of data. HMAC is widely used in many security applications, including digital signatures and message authentication codes (MACs).

11. GOST (GOST-34.11): GOST is a hashing algorithm that produces a 256-bit hash value from an arbitrary length of data. GOST is an algorithm that is designed to be extremely difficult to reverse, making it useful for verifying the integrity of data. GOST is widely used in many security applications, including digital signatures and message authentication codes (MACs).

In addition to choosing a secure password hashing algorithm, it is also important to use good password hygiene to ensure the security of user accounts.

PBKDF2 (Password-Based Key Derivation Function 2): This is a key derivation function that is designed to be slow and resource-intensive, making it more difficult for attackers to crack passwords. It is often used in combination with a cryptographic hash function, such as SHA-2, to create a secure password hash.

Argon2: This is a key derivation function that was designed to be more secure and resistant to attacks than PBKDF2. It has several parameters that can be adjusted to increase the difficulty of cracking passwords, including the amount of memory used, the number of iterations, and the parallelism.

bcrypt: This is a key derivation function that was designed specifically for password hashing. It is based on the Blowfish encryption algorithm and uses a variable-length salt to make it more difficult to crack passwords.

To sum up, a wide variety of hashing algorithms are available, each offering varying levels of protection. Among the most popular hashing algorithms for digital signature and other security purposes are MD5, SHA-1, SHA-2, RIPEMD-160, BLAKE2, Whirlpool, Tiger, Skein, HMAC, and GOST. Each algorithm is designed to be extremely difficult to reverse, making them useful for verifying the integrity of data.

How do hashing algorithms work

Hashing algorithms are mathematical functions used to create a unique, fixed-length output (known as a hash or message digest) from an input of any size. These algorithms are used to ensure data integrity, validate digital signatures, and authenticate messages. To generate a hash, the algorithm takes an input, such as a file or a string of data, and processes it through an algorithm that produces a unique, fixed-length output.

This output is usually represented as a hexadecimal string, which is much shorter than the original data. Hashing algorithms are designed to be one-way functions, making it difficult to determine the original data from the hash.

Hashing algorithms are also used to authenticate messages and digital signatures, as the sender can generate a hash of the message and sign it with their private key. The receiver can then use the sender’s public key to verify that the message has not been altered during transit.

Password Hashing

Recommended algorithm for hashing

The Secure Hash Algorithm (SHA) family of algorithms is the most widely used and recommended for hashing. It comprises of a range of algorithms, with SHA-256 and SHA-512 offering higher levels of security and SHA-224 as a lighter version of SHA-256. SHA-2 is regularly used for digital signatures, authentication and to ensure message integrity.

Why password hashing is important?

Password hashing is an essential step of data security in order to protect data from unauthorized access. It involves taking a user’s password and transforming it into a random string of characters, also known as a “hash”. This hash is used to verify the user’s identity and protect the user’s data. This process is designed to make the password unreadable and therefore, more secure. By making the password unreadable, it prevents malicious actors from accessing the data.

Password hashing is a must security measure as it helps protect user passwords from being accessed by attackers in a commonly readable format, at least it doesn’t directly expose. Hashing algorithms create a unique and complex hash for each user, making it difficult for an attacker to guess the password. Additionally, the hashes are very difficult to reverse thus making it more harder for attackers to use brute-force attacks to guess passwords. This helps protect users from having their passwords exposed and their accounts compromised.

Finally, password hashing is important because it increases the security of stored passwords. By hashing a user’s password, it ensures that no one can view the original password, even if the data is compromised.

Therefore, even if a hacker were to gain access to the stored data, they would not be able to view the user’s original password. In summary, password hashing is an important security measure that helps protect user data from unauthorized access. It makes passwords difficult to guess and increases the security of stored passwords. Therefore, it is an essential security measure for any online system that requires a user to enter a password.

In summary, a few key reasons why password hashing is important:

Security: As mentioned above, password hashing is a one-way process, meaning that it is not possible to reverse the process and retrieve the original password from the hash. This makes it much more difficult for attackers to access user passwords, even if they manage to breach the database.

Scalability: Password hashing algorithms are designed to be fast and efficient, making them suitable for large-scale applications with millions of users. This is important because the hashing process needs to be performed each time a user logs in, and a slow hashing algorithm could cause performance issues for the application.

Compatibility: Password hashing algorithms are designed to be compatible with a wide range of systems and platforms, making it easy to integrate into any application.

Enhancing security with the addition of salt in hashing:

An improved way to store passwords Hashed passwords are not unique to themselves due to the deterministic nature of the Hash function: when given the same input, the same output is always produced. If User A and User B both choose qwerty12345 as a password, their hash would be the same:

SHA256 hash for User A for password “qwerty12345” is “f6ee94ecb014f74f887b9dcc52daecf73ab3e3333320cadd98bcb59d895c52f5”

SHA256 hash for User B for password “qwerty12345” is “f6ee94ecb014f74f887b9dcc52daecf73ab3e3333320cadd98bcb59d895c52f5”

Password salting is a technique used to increase the security of stored passwords. It involves adding random data, known as a salt, to each password before it is hashed. This random data makes it more difficult for attackers to crack the passwords, even if they have access to the hashed version of them.

Salt values are stored along with the hashed passwords so that when a user attempts to log in, the salt can be retrieved and used to generate the same hash that was stored. This makes it much harder for attackers to guess the passwords, even if they have access to the database.

For example, let’s consider the same example where the password for both User A and User B is “qwerty12345”.

Similarly, SHA256 hash for User A and User B for password “qwerty12345” is “f6ee94ecb014f74f887b9dcc52daecf73ab3e3333320cadd98bcb59d895c52f5”

To salt this password, a random string of characters is added to the end.

For User A → Salt added is - @hjS7 Password - qwerty12345 The salted version of the password is - qwerty12345@hjS7 Now SHA256 hash for salted version of the password “qwerty12345@hjS7” is “1103d94d5c848575f87f7fbe843effdcea4198fead77a24400c43774e4cfac4a”

For User B → Salt added is - 98@*st6 Password - qwerty12345 The salted version of the password is - qwerty1234598@*st6 SHA256 hash for salted version of the password “qwerty1234598@*st6” is “1cecec3a0606a716d6f4ca2c285643d4aae169cfb1aa3c8bbb88fd09f2102afa”

If we compare the salted version of the password for both User A and User B having the same password ‘qwerty12345’.

User A: “1103d94d5c848575f87f7fbe843effdcea4198fead77a24400c43774e4cfac4a”

User B: “1cecec3a0606a716d6f4ca2c285643d4aae169cfb1aa3c8bbb88fd09f2102afa”

As you see, for the same password, the hash generated is different. This is making it more complex to reverse engineer in extracting the passwords.

Summary

In conclusion, password hashing is a technique used to secure user passwords by transforming a plaintext password into a complex string of characters called a hash. This hash is then stored in a database and compared to the user’s input when they attempt to log in, ensuring only authorized users can access the system.

Hashing passwords prevents the plaintext password from ever being stored, preventing it from being stolen in the event of a data breach. It also allows the website to verify the user’s identity without needing to store the plaintext password. When implementing a secure password hashing system, it is important to use a strong hashing algorithm such as bcrypt. Bcrypt is designed to be computationally expensive, making it difficult for attackers to brute-force guess the plaintext passwords from the hashes.

Simplify authentication with MojoAuth

You can minimize the overhead of hashing, salting, password security, password management, and all password-related issues with MojoAuth.

Mojoauth passwordless authentication helps businesses increase customer engagement by providing customers with a secure and convenient way to log into their accounts. With Mojoauth, customers can authenticate with a single click, without having to remember a password. This simplifies the login process, making it easier and faster for customers to access their accounts and complete their desired actions.

Top comments (0)