Password hashing is a way of protecting user passwords by transforming them into a scrambled representation known as a "hash". This is usually done using a cryptographic hash function, which is a mathematical algorithm that takes any input and produces a fixed-size output called a "hash value." The important thing to note about cryptographic hashing is that it is a one-way function (same as a one-way street), which means that it is computationally infeasible (a computation that, while computable, would take too many resources to actually compute ) to determine the original input from the hash value alone. This is what makes it suitable for storing passwords, because even if someone gets access to the hashed passwords, they will not be able to easily determine the original passwords.
The process of hashing passwords usually works like this:
Companies use hashing to secure all kinds of sensitive data, including customer passwords.
After the user tries to log in to their account, they must re-enter their password. This password is then passed through the same password hashing function and the resulting hash value is compared to the one stored in the database. If the two hash values match, then the user is authenticated and gets access to their account.
The whole process is so fast that it is calculated in milliseconds.
Cryptographers have developed many hashing algorithms over the years. These include MD5, SHA-1, SHA-2 (SHA is an acronym for Secure Hash Algorithm), PBKDF2, Argon2.
Even if someone were to gain access to the hashed passwords, they would not be able to easily determine the original passwords if the password are hashed. As we describe above the password hashing strength is based on:
n theory, hashed passwords can be cracked, but it is generally considered to be infeasible for most practical purposes. This is because password hashing uses a cryptographic hashing function, which is a one-way function that is computationally infeasible to reverse. This means that even if an attacker were to gain access to the hashed passwords, they would not be able to easily determine the original passwords.
However, it is possible for an attacker to use a "brute-force" attack to try to guess a password by systematically trying every possible combination of characters. This is a time-consuming and resource-intensive process, and it becomes infeasible as the length and complexity of the password increases. Additionally, many password hashing algorithms are designed to be "computationally expensive," meaning that they take a significant amount of time and resources to compute the hash value, making it impractical for an attacker to use a brute-force attack.
Password salting is a technique that is used to improve the security of password hashing. It involves the addition of an extra layer of random data, called a "salt," to the password before it is passed through the password hashing function. The salt is typically a random string of characters that is unique for each password, and it is included in the password hashing process to make it more difficult for an attacker to guess a password using a dictionary attack.
By adding a salt to the password hashing process, each password hash is unique, even if multiple users choose the same password. This makes it much harder for an attacker to guess a password using a dictionary attack, because they would have to generate a separate dictionary of possible password hashes for each salt. Additionally, because the salt is unique for each password, it helps to prevent the use of "rainbow tables," which are pre-computed tables of password hashes that can be used to quickly look up the original password for a given hash.
Salting is effective for two reasons: