Best Reviews logo
Best Reviews may receive compensation for its content through paid collaborations. See how we sustain our work & review products.
How Does Password Hashing Protect My Passwords?

How Does Password Hashing Protect My Passwords?

By István F. István F. Verified by Adam B. Adam B. Last updated: July 14, 2024 (0)

Have you ever tried to recover the password to a web-based service and all you received via email was a temporary password or a link with instructions to reset the password? If that happened, then this is a good sign, because it means that the service doesn’t store your password in a vulnerable database and uses what is called ‘password hashing’ instead.

What is password hashing?

When you sign up for any new internet-based service you are giving information to the service provider by filling out the sign-up form. This information is stored in a database, and contains usernames, passwords, and other important information so that the next time you log in everything is the same as where you left off.

This database poses security threat, however, since it stores some sort of information necessary to verify the legitimacy of the user logging in. If it stores the actual password, then if a hacker gains access to the database they would be able to steal the passwords associated with usernames and sell them on the dark web. You don’t have to look too far back in time to find information on leaks of millions of users.

This is where hashing comes into the picture. Hashing is a one-way algorithm that takes any amount of data and turns it into fixed-length data. In cryptography, this means the password that you create isn’t stored in plain text and therefore readable by hackers that access the database; instead it’s a string of information that just looks like gibberish. This nonsense string of data is the result of an algorithm that will always generate the same result if the same data is introduced. The catch is that the hackers cannot reverse engineer the password if they get hold of the hash, except when a weak hashing algorithm is used – which we will touch on shortly.

So what does hashing look like? For example, if your password is “bestreviews1” a hashing algorithm will generate a string like this: “2ab96390c5dbe1437de54d0c6b1b1669”. This is the information that is stored in the database.

When you try to log in again and type in the correct password, the hashing algorithm comes into action and generates the same string, at which point the server compares the two values to find a match and therefore allowing you to successfully log in. If you mistyped the password and used, for example, “bestreviews2” then you’ll get a different result, “726ad07bc398392b46a52e3de8993687”, which is a completely different string despite the closeness of the two passwords. Since the server won’t find a match when it compares the two results, it won’t let you into the account.

Different types of hashing algorithms

Hashing isn’t a new concept, it has been around for a while with some algorithms having withstood the test of time and some carrying nasty vulnerabilities. The best-known hashing algorithms are:

  • MD-5: Designed by Ronald Rivest and released in 1992, MD-5 is widely used but it isn’t a secure algorithm as it is prone to collisions and length extension attacks.
  • SHA-1: This is also prone to length extension attacks and hasn’t been approved for most cryptographic uses since 2010.
  • SHA-2: A family of two novel hash functions known as SHA-256 and SHA-512. The SHA-2 family is prone to length extension attacks.
  • SHA-3: The latest member of the SHA family is SHA-3, released by NIST in 2015. SHA-3 is internally different from the MD-5-like structure of SHA-1 and SHA-2.
  • Bcrypt.
  • PBKDF2.
  • Scrypt.

How to know how severe a data leak was

Every data leak is bad because it exposes user information, however a data leak’s severity depends on the cryptographic hash algorithm (if any) that is used to secure user data. Given the weaknesses of legacy hashing algorithms, service providers looking to secure their user’s data need to upgrade to a more secure algorithm such as PBKDF2, bcrypt, or scrypt.

To secure the gateway to the vault where all your sensitive data is stored, password managerssuch as 1Password use PBKDF2-HMACSHA-256 with 100,000 iterations. This will result in 32 bytes of data, which will be combined with the result of processing your Secret Key.

So what’s the takeaway of all this? Simply put: if password hashing such as PBKDF2, SHA-3, or bcrypt was used and the hackers did steal your data, there is still have time to change the password before it is successfully cracked using various techniques. That, of course, is if you act fast. If hashing was not used then, simply put, you are screwed: start changing your passwords everywhere.


Editor's choice
RoboForm logo
Editor's rating:
(4.5)
Effective security center
Passkey compatibility
Intuitive and organized interface
Affordable prices
Families
LastPass logo
Editor's rating:
(4)
Logical interface
Automated password categorization
Advanced mobile version
Various two-factor authentication options
Businesses
1Password logo
Editor's rating:
(4.5)
End-to-end encryption
Secure authentication method
Data breach alarms
One-time password support
Security features
Keeper logo
Editor's rating:
(4.5)
Robust security
Wide range of platform support
Affordable
Great customer support
Personal use
NordPass Personal logo
Editor's rating:
(4.5)
Strong security features
Effective password generator
Excellent free version
Attractive price
Password sharing
Dashlane logo
Editor's rating:
(4)
Password changer
Built-in VPN
Flawless data import
Thorough iOS/Android app
Local storage
Enpass logo
Editor's rating:
(4)
Packed with features
Free for desktop users
Offline password manager
End-to-end encryption
User Feedback

 Leave a reply

Your email address will not be published. Required fields are marked *


Latest Articles

Creating the Perfect Landing Page: A Beginner’s Guide
Even though we might not like it, first impressions are key. That’s why having a well-crafted landing page for your business is more than just having a pretty face on the web – it’s your ticket to ...
Read article
How To Master English Fluency: 10 Effective Tips and Tricks
When it comes to language learning, we often come across the word ‘fluency’. But what does it mean exactly? Simply put, fluency is the ability to articulate a message ...
Read article
4 Reasons To Choose CRM Software With AI
With the competition increasing, maintaining lasting customer relationships is more crucial than ever. Customer relationship management (CRM) systems have long been the backbone of most businesses’ effective interaction management, helping them streamline processes, improve satisfaction, and boost sales
Read article

Best Reviews

Best Reviews may receive compensation for its content through paid collaborations and/or affiliate links. Learn more about how we sustain our work and review products.

©2012-2024 Best Reviews, a clovio brand – All rights reserved
Privacy policy · Cookie policy · Terms of use · Partnerships · Contact us