With data and security breaches on the rise, it is absolutely crucial that companies are able to adequately protect their customers' passwords. They can do this, for example, by hashing them before storing them.
But what is password hashing and how does it protect against hacking? And how secure is password hashing really? All this - and more - is discussed in this article.
How does password hashing work?
Hashing is a form of encryption technique that was invented long before the internet and the PC. Today, hashing is used to secure all kinds of sensitive data.
In short, hashing is an encryption process that protects passwords by turning them into random strings of text.
Technically, what happens when you choose a new password for one of your online accounts is that the password is run through an algorithm called a hash function or hashing algorithm. The hashed password then comes out the other side and is stored on the company's server. In this way, the passwords are protected against hackers who might gain access to the password database.
The next time you log in, you enter your password, which is run through the same algorithm. In this process, the website checks if the hashed result matches the hashed password stored on the server. If it is a match, the website knows that you have entered the correct password and logs you in.
The process happens in milliseconds and without the user noticing.
Hashing algorithms
There are several different hashing algorithms that have been developed over the years. These include, for example, MD5, SHA-1, SHA-2, RIPEMD-160 and Whirlpool. However, there is a big difference in how secure each of them is. For example, MD5 and SHA-1 are not considered secure because they are outdated compared to how advanced the PC has become. This means that they have become too easy to crack through brute force, for example.
However, other hashing algorithms are still considered secure and are used by password managers, the most secure of which for storing passwords is SHA-256.
Hashing algorithms are mathematical formulas that are consistent. This means that if you run a password through the same algorithm twice, the hashed result will not change.
Hashing algorithms are one-way features, meaning they do not work in the opposite direction. This makes it harder to crack hashed passwords and thus be able to read the original characters of the password. But unfortunately, this does not mean that password hashing is 100% secure.
Why hashing is a good idea
In the event of a security breach, such as a hacker attack on a website where a hacker gains access to the database of customer passwords and other sensitive information, it can be crucial that this information is hashed.
This means that the hacker only has access to the random strings of text and not the actual codes and information, which is useless to the hacker unless they find a way to break them. Only by cracking the hashed passwords will the hacker be able to read the original passwords.
How do hackers crack hashed passwords?
As with most other security measures, there are both strengths and weaknesses to hashing. The main weakness of hashing is, of course, that it is possible to crack a hashed password.
Hackers can crack hashed passwords via a dictionary attack. Here they use software to run predictable and frequently used passwords through frequently used hashing algorithms. If there is a match between the hashed results and the data in the hacker's possession, the hacker will be able to easily deduce the original password.
Hackers can also make use of so-called rainbow tables. These can be thought of as spread sheets of popular hashing algorithms. The tables contain frequent passwords and their hashed counterparts. If an attacker gains access to a database of hashed passwords, they can check the rainbow table for a match. If there is a match in the table, the original password will also appear.
Because of these risks of hashed passwords, many websites "salt" customers' passwords in addition to hashing them.
Salting of passwords
Hashing is not 100% secure because the encrypted text strings are never 100% random. In any case, you will always get the same result if you run the same password through a hashing algorithm multiple times - i.e. the text string will always stay the same. Therefore, to make hashing even more random, salting is used.
Salting is a cryptographic technique and process of adding a text string consisting of at least 32 random characters to the password before running it through the hashing algorithm. This means that the same password will generate a new hashed result every single time you log in.
Salting is effective for several reasons that address the uncertainties of hashing, including
- It makes passwords long and unique, meaning they won't be found in cybercriminals' lists or dictionaries, as seen in successful dictionary attacks.
- It makes hashed passwords and text strings completely random, so they won't be found in a rainbow table.
As an extra layer of protection, there is also something called peppering, which is also a cryptographic process that can be added to the password in addition to hashing and salting.
Remember to pepper your password too
The "pepper" is a form of salting that is secret. It is not randomly generated like traditional salting, but the pepper modifies the hash by adding an extra text string to the password and is also stored in a separate database from the hashed passwords, which also increases security.
The pepper is usually chosen by the website owner, who has to make sure it is secure and strong enough. It is static, in the sense that the same pepper is used by all users on a website. It is not individually customized like traditional salting.
But unlike salting, peppering is secret. This means that the pepper is stored in a separate database, and not together with the hash and salt. Should a hacker manage to break into the database of hashes and salt, they will still not be able to crack the passwords because they do not know the pepper.
Salt and pepper make it extremely difficult for hackers to crack passwords. Even weak passwords become almost impossible to crack when they are protected with salt and pepper because they change the hash. These techniques significantly increase password security.
Protect yourself from hacking
The best thing you can do to protect your online user accounts is to make sure you create strong passwords that are long, unique and random. This will prevent your password from appearing in a rainbow table or on a list of frequently hashed passwords.
You may want to use a password manager to keep track of all your passwords, which of course should all be different. The password manager will keep your passwords safe and can even generate unique and long passwords for you, so you don't have to come up with them yourself.
Password managers will hash your passwords and will often also season them with both salt and pepper to achieve the highest possible security, making them extremely difficult to crack.
Last but not least, it is of course always a good idea to do cybersecurity awareness training to learn all about the current threats as well as achieve behavioral changes and good cyber hygiene to become your own best cyber defense.
Emilie Hartmann
Emilie is responsible for Moxso’s content and communications efforts, including the words you are currently reading. She is passionate about raising awareness of human risk and cybersecurity - and connecting people and tech.
View all posts by Emilie Hartmann