What is a hashed password?

How does password hashing work?

Password hashing is a way of protecting user passwords by transforming them into a scrambled representation known as a "hash". This is usually done using a cryptographic hash function, which is a mathematical algorithm that takes any input and produces a fixed-size output called a "hash value." The important thing to note about cryptographic hashing is that it is a one-way function (same as a one-way street), which means that it is computationally infeasible (a computation that, while computable, would take too many resources to actually compute ) to determine the original input from the hash value alone. This is what makes it suitable for storing passwords, because even if someone gets access to the hashed passwords, they will not be able to easily determine the original passwords.

The process of hashing passwords usually works like this:

When a user creates a new account on a website or other online service, they are usually required to provide a password.
This password is then passed through the password hashing function, which generates a hash value and is stored on the company's database server.
The original password is discarded so that no one knows the simple secret except the user who generated it.

Companies use hashing to secure all kinds of sensitive data, including customer passwords.

After the user tries to log in to their account, they must re-enter their password. This password is then passed through the same password hashing function and the resulting hash value is compared to the one stored in the database. If the two hash values match, then the user is authenticated and gets access to their account.

The whole process is so fast that it is calculated in milliseconds.

Common hashing algorithms

Cryptographers have developed many hashing algorithms over the years. These include MD5, SHA-1, SHA-2 (SHA is an acronym for Secure Hash Algorithm), PBKDF2, Argon2.

SHA (Secure Hash Algorithm)

SHA (Secure Hash Algorithm) is a family of cryptographic hashing algorithms developed by the National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST). SHA algorithms are widely used for digital signatures and other applications that require data integrity and authentication. SHA-1 is no longer considered secure. Why? Computational hardware has advanced to the point where they’re too easy to crack with a brute-force attack. But improved version of the algorithm called SHA-2 is used today that consists of six hash functions that are 224, 256, 384 or 512 bits. In DrivePassword we use only the most secure variant of the algorithm.

PBKDF2 (Password-Based Key Derivation Function 2)

PBKDF2 (Password-Based Key Derivation Function 2) is a key derivation function that was developed by RSA Laboratories and is defined in RFC 2898. PBKDF2 is widely used for deriving cryptographic keys from passwords, and it is designed to be computationally expensive in order to make it infeasible for an attacker to use a brute-force attack to guess a password. PBKDF2 is considered to be a strong and secure algorithm, although it has been criticized for being slower than some other key derivation functions.

Argon2

Argon2 is a password-hashing function that was designed to be the winner of the Password Hashing Competition, a multi-year competition organized by a group of researchers to select a new standard password-hashing algorithm. Argon2 is considered to be one of the strongest and most secure password-hashing algorithms currently available, and it is widely used in applications that require high security. Argon2 has two main variants: Argon2i, which is optimized for password hashing and password-based key derivation, and Argon2d, which is optimized for hash-based authentication and proof-of-work systems. Argon2 is used by DrivePassword and considered the most secure hashing algorithm for password storage.

The hashing algorithms has change in the years, but the all are based on mathematical formulas, that are fixed and consistent. So every time the process will give th same result of the function.

What makes password hashing secure?

Even if someone were to gain access to the hashed passwords, they would not be able to easily determine the original passwords if the password are hashed. As we describe above the password hashing strength is based on:

cryptographic hashing function, which is a one-way function that is computationally infeasible to reverse.
password hashing typically includes a "salt" in the hashing process

Can hashed passwords be cracked?

n theory, hashed passwords can be cracked, but it is generally considered to be infeasible for most practical purposes. This is because password hashing uses a cryptographic hashing function, which is a one-way function that is computationally infeasible to reverse. This means that even if an attacker were to gain access to the hashed passwords, they would not be able to easily determine the original passwords.

However, it is possible for an attacker to use a "brute-force" attack to try to guess a password by systematically trying every possible combination of characters. This is a time-consuming and resource-intensive process, and it becomes infeasible as the length and complexity of the password increases. Additionally, many password hashing algorithms are designed to be "computationally expensive," meaning that they take a significant amount of time and resources to compute the hash value, making it impractical for an attacker to use a brute-force attack.

Password salting: extra security flavor

Password salting is a technique that is used to improve the security of password hashing. It involves the addition of an extra layer of random data, called a "salt," to the password before it is passed through the password hashing function. The salt is typically a random string of characters that is unique for each password, and it is included in the password hashing process to make it more difficult for an attacker to guess a password using a dictionary attack.

By adding a salt to the password hashing process, each password hash is unique, even if multiple users choose the same password. This makes it much harder for an attacker to guess a password using a dictionary attack, because they would have to generate a separate dictionary of possible password hashes for each salt. Additionally, because the salt is unique for each password, it helps to prevent the use of "rainbow tables," which are pre-computed tables of password hashes that can be used to quickly look up the original password for a given hash.

Salting is effective for two reasons:

It turns the original password into something long and unique that won’t be in a criminal’s password list (dictionary).
It turns the hashed password into something truly random that won’t be in any rainbow table.

How a password manager can help

The best way to protect your online accounts is by using strong, unique passwords. If they’re long and truly random, it’s unlikely that they’ll appear in a rainbow table, or on a list of commonly hashed passwords.

But how do you create and remember strong passwords? That’s where a password manager comes in.

DrivePassword will help you create unique, random passwords for all your accounts, ensuring they’re difficult to crack both before and after they’re hashed.