6 min read
Password hashing
Not sure how password hashing works? We reveal how password hashing and salting can work together to increase an app’s security.

Password hashing and why it’s important

Link to this section

When users set passwords, they tend to use credentials that are weak, duplicated, and vulnerable. With so many sites and apps out there, it’s increasingly common to use the same password for everything from our inboxes to online banking.

In an era of continual data breaches, this poses a growing risk to companies where a password breach can result in hackers accessing internal systems, data, and resources.

Password hashing is used as a preventative measure to minimize the risk of hackers obtaining passwords. It works by transforming plain-text passwords into a short string of letters and numbers that are unreadable and useless to the untrained eye.

Hashing makes it incredibly difficult for hackers to guess passwords and use them to access information and data, therefore, increasing the security of a company and lowering the likelihood of data breaches. It serves to protect the authentication process from unwanted visitors.

What is password hashing?

Link to this section

Hashing is a cryptographic process that’s used to turn sensitive data (such as passwords) into strings of characters that can’t easily be decrypted or understood. Password hashing specifically is used to turn plain-text passwords into a short string of letters and numbers using an encrypted algorithm, making them unreadable to people.

If security breaches occur and password hashing isn’t employed, hackers will have access to users’ passwords in their original, readable form.

However, when password hashing is used, passwords are converted into a complex string of characters using a password hashing algorithm. This makes it extremely difficult for hackers to get a hold of original passwords and understand how to gain access to secure platforms and apps.

When a user is logging into an account the hashed password is compared to other hashes in an app’s database. If the password hash matches up, access is granted.

How does hashing work?

Link to this section

Password hashing uses a one-way hashing function that takes the user’s password and uses an algorithm to transform it into a fixed length of data. The length of a hash function depends on the hashing algorithm used but typically ranges from 160 to 512 bits.

When a user logs into their account password hashing follows this process:

  1. The user enters their login credentials (username and password).
  2. The hashing function turns the password into a hash.
  3. The generated hash is compared to the hash kept in a database.
  4. Access is granted if both the stored hash and generated hash match up. A login error is presented if these values don’t match up.

Algorithms such as SHA-256, Bcrypt, and Argon2 commonly use the process of hashing, open in combination with additional security protocols (like password salting).

How does password salting work?

Link to this section

Password hashing is a means of protecting users’ passwords from getting into the hands of hackers. However, password hashing isn’t risk-free. In this method, passwords are transformed into a predictable and consistent pattern which can be attacked using dictionary, brute-force, or rainbow table attacks.

Password salting is used to provide an additional layer of security and protection. It involves adding random characters to passwords before the hashing function is used. This ensures the original password is transformed differently each time the hash function is used.

Here are the core types of attacks that password salting can effectively safeguard against.

Brute-force attacks

Link to this section

Brute-force attacks occur when hackers attempt to guess every possible password combination. Hackers then run these combinations through a hashing algorithm until a match is discovered and they can guess the password in its original form.

Password salting protects against brute-force attacks because salting adds unique hashes for each password, meaning the attacker can’t guess the original passwords.

Dictionary attacks

Link to this section

Dictionary attacks are the next level up from brute-force attacks. In this type of attack, hackers attempt to guess passwords using the most common password character and word compositions, (a.k.a a password dictionary).

Hackers use a pre-established word list, comparing them to hashes from a stolen password table which contains every hash on the list to break into a system. Salting makes this process for hackers increasingly difficult, with the addition of random elements that can’t be easily guessed.

Rainbow table attacks

Link to this section

Rainbow table attacks involve pre-computed databases of decrypted hash passwords (a.k.a the password in its original form). Hackers can search this to find their preferred hash.

For rainbow table attacks to work, hackers have to first gain access to leaked hashes which they can find if the password database is poorly secured. If passwords don’t contain salt, hackers can translate the encrypted passwords into their original form.

Why password hashing matters

Link to this section

Generally speaking, users tend to create weak passwords because they are easier to remember and re-use those passwords across multiple different platforms, websites, and applications. This leaves users vulnerable to attackers who can gain access to personal and financial information and data.

Password hashing is essential in protecting users and companies from storing passwords in plain text that can easily be accessed by hackers. Password hashing adds layers of security where passwords aren’t stored in plain text but rather in a format that creates a great deal of effort for hackers to obtain.

Hashed passwords can’t be stolen, reversed, or compromised and are impossible for a user to read. Plus, if a hash code does get stolen it is relatively useless and can’t be used to access other platforms.

These measures are incredibly important for companies to protect themselves and their users from data breaches which can result in personal, financial, and sensitive data being accessed and exploited.

Password hashing is an effective security measure to protect companies from data breaches and ensure user passwords don’t fall into the wrong hands. But, password hashing alone isn’t enough. Password salting adds another layer of security that blocks the most common forms of attack vectors, adding a level of unpredictability to further lower the chance of data breaches.

Talk to us