What Is Password Hashing?
A few years ago, tech giants like Facebook and Google made data security headlines by confessing to storing passwords in plain text. As a result, anyone with access to their database can easily see those plain text passwords, putting sensitive information at risk.
Many companies use password hashing to store passwords securely, addressing these concerns and enhancing security. In this blog post, we'll explain what password hashing is, how developers hash passwords, the algorithms they use, and the limitations of the process.
Want to learn more about using Dashlane Password Manager at home or at work?
What is password hashing?
Password hashing involves converting passwords into an alphanumeric string using specialized algorithms.
Your username and password often undergo hashing when you sign up for a new account on a website or app. Instead of storing the password as plain text, a mathematical algorithm converts your password into a unique code.
How is hashing different from encryption?
At first glance, password hashing and encryption might seem pretty similar. In both cases, information is morphed into complex code to keep it safe from hackers. But there are some crucial differences between the two.
Encryption is a two-way street
Encrypting passwords creates a randomized alphanumeric string, but there's a catch. Encryption is a two-way function that allows decryption, or decoding of encrypted values, back into their original plain-text form.
Encryption is reversible, meaning the encryption key can decrypt the passwords back into plain text. So if hackers breach your database or a malicious employee with privileged access obtains the keys, your encrypted passwords become vulnerable.
Hashing is not reversible
Password hashing is a one-way function. You can't reverse engineer the process and retrieve or trace back to the original password from its hashed form.
Hashing is irreversible and ensures that even if someone gains access to the hashed passwords, they won't be able to decipher them back into the original passwords.
Data protection vs. data integration verification
Encryption plays a crucial role in data protection. It converts data into an unreadable format using an encryption key, ensuring that only authorized individuals with the corresponding key can decrypt and access the data.
Hashing is primarily used in data integrity verification. The hashed password acts as a unique digital fingerprint for the data, allowing data integrity to be verified. Any modifications or tampering can be detected by comparing the hash value of the received data with the initially generated hash value.
How does password hashing work?
When a user sets a password, a password-hashing application uses a hashing algorithm to generate a unique string of characters and store it in the database. The size of this string is measured in “bits” (short for binary digits), which is the smallest unit of data a computer can process and store.
When the user tries to log in, the application applies the same hashing algorithm to the entered password and compares the resulting string with the stored value in the database to authenticate the user.
Let's break it down with an example.
If you set the password "hAsh!nGisC00L" and put it through an MD5 hashing algorithm, it will produce the hash "5d640ca634edfaa17813cab1492208f2," which looks nothing like the original password.
The slightest change in the password will completely alter the hashed password too. For example, if you switch the '!' to an 'i' and run the changed password through the hashing application again, it could produce the hash "1c70088b4b9c650d49fd3ee04349dfb9," which is entirely different from the first hashed value.
What is salting a password or salting a hash?
With cybercriminals getting more creative with advanced tools, hashing alone isn't enough to keep your passwords safe. You can "salt" your passwords before hashing them for enhanced protection.
While it may sound like a recipe for hash browns, "salting a hash" in cryptography refers to adding a random and unique string of characters to the original password before it’s hashed. These additional strings added to the original password, known as salts, help enhance password complexity without impacting user convenience.
Salting doesn't just improve the complexity of password hashes—it also tackles the problem of duplicate passwords. Using unique salts for each password ensures that even if two users have identical passwords, their hashed versions will differ due to the unique salts. This practice makes it more difficult for attackers to crack multiple passwords simultaneously.
Common hash algorithms
As mentioned previously, the method of password hashing is accomplished with the help of mathematical algorithms. Some of the most common hash algorithms include:
Argon2 is an advanced and secure hash function utilized in cryptography and password hashing. It’s designed to withstand diverse attacks, providing strong protection for storing passwords securely. By leveraging a combination of memory and processing power, Argon2 makes it significantly harder for attackers to crack hashed passwords. Ever since its victory in the Password Hashing Competition in July 2015, Argon2 has established itself as a top-tier algorithm in password encryption, offering robust security for stored data.
Designed by Ronald Rivest in 1991, Message-digest Method 5, or MD5, is one of the earliest hash algorithms that produces a 128-bit hash value from a string of any length.
While it was peak security in its time, the algorithm is now considered insecure for password hashing due to its vulnerability to collision attacks (when hackers target inputs that produce identical hash values). Hackers now have access to machines with fast computation speed, allowing them to quickly generate and test many potential inputs and guess the correct identical hash value.
SHA stands for Secure Hashing Algorithm; SHA-1 and SHA-2 are different versions of the same algorithm. They mainly vary in their construction and the length of the resulting hash. SHA-1 produces a 160-bit hash value and is no longer recommended for secure password storage because it’s prone to collision attacks.
SHA-2, on the other hand, is a family of hashing algorithms, including SHA-256 and SHA-512, which produce hash values of 256 bits and 512 bits, respectively. SHA-2 is more secure than SHA-1 and even widely used for multiple cryptographic purposes other than password hashing. For example, Bitcoin uses the SHA-256 hashing algorithm.
Scrypt is a special algorithm that creates memory-intensive hashed passwords, making it more resistant to brute-force attacks. It was specifically developed to mitigate the risks posed by hardware advancements in password cracking.
It takes a significant amount of memory to crack memory-intensive hashes. This makes it more difficult for attackers to perform tasks simultaneously across multiple processors, thereby increasing the cost and time required to crack passwords. As a result, it’s often used for password hashing in cases that require more robust security.
Designed in 2000, Whirlpool is a cryptographic hash function that produces a hash value of 512 bits. It employs a complex internal structure with multiple rounds of mixing operations, making it computationally intensive and suitable for applications requiring high-security levels. In addition, since Whirlpool offers a larger hash size than other algorithms, it provides a larger output space that reduces the probability of collisions.
RIPEMD (RACE Integrity Primitives Evaluation Message Digest) is a family of hashing algorithms designed to provide higher security and resistance against potential attacks. It produces hash values of different bit lengths, with RIPEMD-160 generating a 160-bit hash value. In addition, it employs a compression function that takes an input of any random length and produces a fixed-size hash, enhancing the algorithm's security.
Limitations of password hashing
Despite the robust protection, password hashing is a memory-intensive process. And it’s not entirely impossible to crack password hashes.
Some of the drawbacks of password hashing are:
Password hashing can negatively impact the performance of database operations. As the hashing process can be computationally intensive, it may slow down the overall database performance, especially when there are many passwords to hash and verify. If proper optimization techniques and hardware considerations aren't implemented, such an impact can degrade databases.
Fast hashing algorithms can be hacked
Fast hashing algorithms, such as MD5 or SHA-1, can be vulnerable to dictionary attacks and rainbow tables.
- Dictionary attacks: In a dictionary attack, an attacker uses a pre-computed list of hashed passwords (commonly used passwords or dictionary words) and compares them to the hashed passwords in the database to find matches.
- Rainbow table attacks: Rainbow tables are pre-computed lookup tables containing many possible passwords and their corresponding hash values. Hackers use these tables to quickly crack passwords by comparing the hash values of stolen or encrypted passwords with the entries in the table. Rainbow tables help hackers find the original plain-text passwords without going through the usual time-consuming calculations. By using rainbow tables, attackers can speed up the password recovery process and bypass the standard security measures.
Hash collisions take place when two different inputs produce the same hash output. While rare, hash collisions pose a security risk as an attacker could deliberately create a different password that generates the same hash as the original password, allowing them to gain unauthorized access.
Modern hashing algorithms, such as SHA-2 or Argon2, are designed to have a significantly lower probability of collision, making them more secure choices for password hashing.
Dashlane uses the most robust encryption standard
Dashlane employs the robust Argon2 algorithm to generate an Advanced Encryption Standard (AES) 256-bit key, recognized as the world's most robust encryption standard. This key, derived from your Master Password, encrypts and decrypts your personal data locally on your device before it’s sent to and from our servers. That means your encryption key is never sent over the internet, ensuring that in the unlikely event of a data interception, the encryption protects your information from being deciphered by unauthorized parties.
Argon2 is only one piece of the puzzle. Discover the multiple layers of data protection Dashlane employs to prioritize your security above all else.
- Authgear, “Password Hashing and Salting Explained,” November 2022.
- PCMag, “Facebook Stored Up to 600M User Passwords in Plain Text,” March 2019.
- Wired, “Google Has Stored Some Passwords in Plaintext Since 2005,” May 2019.
- Dashlane, “What Is Encryption?” March 2019.
- Wikipedia, “Argon2.”
- Password Hashing, “Password Hashing Competition,” April 2019.
- Wikipedia, “MD5.”
- Wikipedia, “Secure Hash Algorithms.”
- Bit2me Academy, “How does SHA-256 work?” July 2018.
- Wikipedia, “scrypt.”
- Wikipedia, “Whirlpool (hash function).”
- Wikipedia, “RIPEMD.”
- Simplilearn, “Message-Digest Algorithm 5: Overview and How Does it Work?” February 2023.
- Auth0, “Adding Salt to Hashing: A Better Way to Store Passwords,” February 2021.
- Okta, “Hashing Algorithm Overview: Types, Methodologies & Usage,” February 2023.
- Dashlane, “Putting Security First: How Dashlane Protects Your Data,” January 2023.
- Dashlane, “What Is a Good Password? 5 Tips for Increasing Password Strength,” November 2022.
- Dashlane, “Dashlane’s Password Generator.”
- Dashlane, “Putting Security First: How Dashlane Protects Your Data,” January 2023.
- CSO, “What is a dictionary attack? And how you can easily stop them,” August 2020.
- Beyond Identity, “Rainbow Table Attack.”
Sign up to receive news and updates about Dashlane
Thanks! You're subscribed. Be on the lookout for updates straight to your inbox.