Data breaches are on the rise, so it’s critical that companies properly protect their customers’ passwords. One of the ways that businesses do this is by hashing passwords before storing them.
But what is hashing, and how does it work? And can a hashed password ever be cracked? Here, we’ll answer all of these questions and more.
How does password hashing work?
Hashing is a cryptographic technique invented more than 50 years ago, long before the internet and the personal computer. Today, companies use hashing to secure all kinds of sensitive data, including customer passwords.
Hashing is a one-way process that protects a password by turning it into a different and seemingly random string of characters.
When you choose a new password for one of your online accounts, it’s usually run through a mathematical algorithm called a hash function. The hashed password that comes out the other side is then stored on the company’s server. This helps protect it from an attacker who manages to access the password database.
Companies use hashing to secure all kinds of sensitive data, including customer passwords.
You don’t see any of this – it all happens behind the scenes, in a matter of milliseconds.
The next time you want to sign in, you’ll enter your password, which is run through the same algorithm as before. The website or app will then check that the hashed result matches the hashed password stored on its server. If everything lines up exactly, the website or app knows that you’ve entered the correct password and will let you sign in.
Common hashing algorithms
Many older hashing algorithms, like SHA-1 and MD5, are no longer considered secure. Why? PC hardware has advanced to the point where they’re too easy to crack with a brute-force attack. Other algorithms are still considered secure, however. For example, SHA-256 is used by 1Password, and considered the most secure hashing algorithm for password storage.
If you put a password through the same algorithm twice, the hashed result won’t change.
Hashing algorithms might have evolved over the years, but they all share certain characteristics. Because they’re mathematical formulas, the rules that govern them are fixed and consistent. They produce hashed passwords that contain the same number of characters every time, no matter how long the original password is. If you put a password through the same algorithm twice, the hashed result won’t change.
They’re also one-way functions, so they can’t be reversed. That means it’s difficult (but not impossible – more on that in a second) to crack a hashed password and discover the original set of characters.
What makes password hashing secure?
Imagine that a website or app was breached. During this incident, a criminal gained access to a database that contained customer passwords and other sensitive information. If the passwords weren’t hashed, this would be a major problem. Hashing means the attacker would only have access to a set of scrambled passwords. These are useless unless the hacker can find a way to crack them and reveal the original passwords.
Can hashed passwords be cracked?
Hashing is a great way to protect passwords and other sensitive information. But the process does have some weaknesses. Here are some of the techniques that an attacker can use to crack a hashed password:
Dictionary attack. Attackers will use software to run popular and predictable passwords through commonly used hashing algorithms. The program will compare the hashed results with the scrambled credentials in the hacker’s possession. If there’s a match, the hacker can easily deduce the original password.
Rainbow tables. Hackers use “rainbow tables” – you can think of these like spreadsheets – for popular hashing algorithms. These tables contain common passwords and their hashed counterparts. If a hacker obtains a database of hashed passwords, they can look to see if there are any matches in one of these rainbow tables. If there’s a hit, they can then use the same table to see what the original password is.
To counter these techniques, many websites and apps will “salt” passwords in addition to hashing them.
Password salting: extra security flavor
Hashing is a great first step toward protecting passwords and other sensitive data. But as we’ve learned, hashed passwords aren’t actually random. So if you run “123456” through the same algorithm twice, the result will be the same. More steps are therefore required to make hashing truly random.
Enter salting! This process adds one or more random characters to the password before it goes through the hashing algorithm. These additions ensure that the same password will produce a different hashed result each time.
Salting is effective for two reasons:
- It turns the original password into something long and unique that won’t be in a criminal’s password list (dictionary).
- It turns the hashed password into something truly random that won’t be in any rainbow table.
There are different ways of salting a password. For example, some services will apply a second, secret salt – a practice known as peppering – to its hashed passwords. The pepper isn’t random, but unlike a traditional salt, it’s not stored in the same place as the hashed passwords.
How a password manager can help
The best way to protect your online accounts is by using strong, unique passwords. If they’re long and truly random, it’s unlikely that they’ll appear in a rainbow table, or on a list of commonly hashed passwords.
But how do you create and remember strong passwords? That’s where a password manager comes in.
1Password will help you create unique, random passwords for all your accounts, ensuring they’re difficult to crack both before and after they’re hashed. Watchtower will also alert you if any of your credentials show up in a known data breach, allowing you to change your password before a criminal can exploit it.