Disclaimer: We sustain our work & review products through paid collaborations.
How Does Password Hashing Protect My Passwords?

How Does Password Hashing Protect My Passwords?


Have you ever tried to recover the password to a web-based service and all you received via email was a temporary password or a link with instructions to reset the password? If that happened, then this is a good sign, because it means that the service doesn’t store your password in a vulnerable database and uses what is called ‘password hashing’ instead.

What is password hashing?

When you sign up for any new internet-based service you are giving information to the service provider by filling out the sign-up form. This information is stored in a database, and contains usernames, passwords, and other important information so that the next time you log in everything is the same as where you left off.

This database poses security threat, however, since it stores some sort of information necessary to verify the legitimacy of the user logging in. If it stores the actual password, then if a hacker gains access to the database they would be able to steal the passwords associated with usernames and sell them on the dark web. You don’t have to look too far back in time to find information on leaks of millions of users.

This is where hashing comes into the picture. Hashing is a one-way algorithm that takes any amount of data and turns it into fixed-length data. In cryptography, this means the password that you create isn’t stored in plain text and therefore readable by hackers that access the database; instead it’s a string of information that just looks like gibberish. This nonsense string of data is the result of an algorithm that will always generate the same result if the same data is introduced. The catch is that the hackers cannot reverse engineer the password if they get hold of the hash, except when a weak hashing algorithm is used – which we will touch on shortly.

So what does hashing look like? For example, if your password is “bestreviews1” a hashing algorithm will generate a string like this: “2ab96390c5dbe1437de54d0c6b1b1669”. This is the information that is stored in the database.

When you try to log in again and type in the correct password, the hashing algorithm comes into action and generates the same string, at which point the server compares the two values to find a match and therefore allowing you to successfully log in. If you mistyped the password and used, for example, “bestreviews2” then you’ll get a different result, “726ad07bc398392b46a52e3de8993687”, which is a completely different string despite the closeness of the two passwords. Since the server won’t find a match when it compares the two results, it won’t let you into the account.

Different types of hashing algorithms

Hashing isn’t a new concept, it has been around for a while with some algorithms having withstood the test of time and some carrying nasty vulnerabilities. The best-known hashing algorithms are:

  • MD-5: Designed by Ronald Rivest and released in 1992, MD-5 is widely used but it isn’t a secure algorithm as it is prone to collisions and length extension attacks.
  • SHA-1: This is also prone to length extension attacks and hasn’t been approved for most cryptographic uses since 2010.
  • SHA-2: A family of two novel hash functions known as SHA-256 and SHA-512. The SHA-2 family is prone to length extension attacks.
  • SHA-3: The latest member of the SHA family is SHA-3, released by NIST in 2015. SHA-3 is internally different from the MD-5-like structure of SHA-1 and SHA-2.
  • Bcrypt.
  • PBKDF2.
  • Scrypt.

How to know how severe a data leak was

Every data leak is bad because it exposes user information, however a data leak’s severity depends on the cryptographic hash algorithm (if any) that is used to secure user data. Given the weaknesses of legacy hashing algorithms, service providers looking to secure their user’s data need to upgrade to a more secure algorithm such as PBKDF2, bcrypt, or scrypt.

To secure the gateway to the vault where all your sensitive data is stored, password managerssuch as 1Password use PBKDF2-HMACSHA-256 with 100,000 iterations. This will result in 32 bytes of data, which will be combined with the result of processing your Secret Key.

So what’s the takeaway of all this? Simply put: if password hashing such as PBKDF2, SHA-3, or bcrypt was used and the hackers did steal your data, there is still have time to change the password before it is successfully cracked using various techniques. That, of course, is if you act fast. If hashing was not used then, simply put, you are screwed: start changing your passwords everywhere.


Best password managers of 2025

Editors' choice

RoboForm

Editor's rating:
Identifies weak, reused passwords
Future-ready, seamless logins
Easy to use
Budget-friendly
Families

LastPass

Editor's rating:
Logical interface
Automated password categorization
Advanced mobile version
Various two-factor authentication options
Businesses

1Password

Editor's rating:
Keeps your data fully private
Protects against unauthorized access
Protects against unauthorized access
One-time password support
Security features

Keeper

Editor's rating:
Protects against data breaches
Works on all major devices
Budget-friendly
Help when you need it
Personal use

NordPass Personal

Editor's rating:
Keeps data safe and encrypted
Creates strong, unique passwords
Great value at no cost
Affordable premium upgrade
Password sharing

Dashlane

Editor's rating:
Updates weak passwords quickly
Encrypts your online traffic
Easy migration from other tools
Full mobile functionality
Local storage

Enpass

Editor's rating:
Comprehensive password management
No cost on desktops
Full control of your data
Keeps your info fully secure

Discussions

Share your thoughts, ask questions, and connect with other users. Your feedback helps our community make better decisions.

©2012-2025 Best Reviews, a clovio brand – All rights reserved