What is Password Hashing (and How Does It Work)?

If you are a frequent denizen of the Internet like myself, there is a good chance you have received an email that goes something like this:

Dear valued customer,

Recently, our website fell victim to a cyberattack on our corporate network. All passwords were encrypted, but as a precaution we are requiring all of our customers to reset their passwords immediately.

Thank you.

So, there was a breach, some of your information, including your encrypted password, was leaked. Is your account at risk?

Short answer: YES, but why?

To understand this, you must understand the concept of “password hashing.”

What is a Hash?

A hash is just a way to represent any data as a unique string of characters. You can hash anything: music, movies, your name, or this article. Metaphorically speaking, hashing is a way of assigning a “name” to your data. It allows you to take an input of any length and turn it into a string of characters that is always the same length. Obviously, there are many methods (algorithms) to do this.

A few of the most popular hashing algorithms:

  • MD5 – Given any data will return a unique 32 character hash.
  • SHA1 – Given any data will return a unique 40 character hash.
  • SHA256 – Given any data will return a unique 64 character hash; designed by the National Security Agency.

Lets look at a simple example:

My name is “Jamin Becker”

The MD5 hash representation of my name is:

eeb7048c69b088739908f5f5144cd1f5

hashing-diagram-illustration1

The SHA1 hash representation of my name is:

ae480b717c08b6ab36a85075864e35b9c528d7c5

The SHA256 hash representation of my name is:

a477cc14eae5fd94fe4cb20b36ec80ac6983bad44973ae7f4f230010f01289b0

Why is Hashing Secure?

The reason hashing is secure is simple: hashing is a one way operation. They cannot be reversed. Given a string “eeb7048c69b088739908f5f5144cd1f5”, there is no way to reverse the MD5 hash to return “Jamin Becker”. This is because of the way the mathematicians and programmers structured the MD5 hashing algorithm, and it comes back to a fundamental computer science problem called “P vs NP.” P and NP are just two classes of algorithms.

Most hashing algorithms fall under NP which means they can be quickly calculated. However, the un-hashing algorithms (i.e “eeb7048c69b088739908f5f5144cd1f5” -> “Jamin Becker”) fall under the P class and can only efficiently be solved in polynomial time (i.e using a quantum computer significantly more advanced then the ones available today).

So why is this good for security?

hashing-diagram-illustration2

Say you subscribe to a website and choose password “12345”. Immediately, that website will hash your password, probably with SHA1, and store it in a database. Now every time you login, the website will rehash your password and compare it to the one stored in the database. If they match, you will be successfully authenticated. If the website is ever breached, and the password database is leaked your password will appear as “8cb2237d0679ca88db6464eac60da96345513964” and not “12345”.

Hash Attack Strategies

So, the attacker has the hashed version of my password and there is no way to reverse it to 12345. I have nothing to worry about, right? WRONG!

One method that is commonly used to get the plain text password from a hash is called a brute force attack. In this attack, the attacker will run through a giant wordlist and hash each word with the appropriate hashing algorithm. They can then compare the hashes in the wordlist to the ones they have obtained from the database. If a hash from the wordlist matches the one in the database, they can simply find the corresponding plain text password in the original wordlist they hashed. Experienced attackers will use extremely large wordlists combined with powerful software to run through millions of password possibilities a second.

wordlist-bruteforce-hash-cracking

Another method of attack attempts to exploit the hashing algorithm itself by creating a hash collision. A hash collision occurs when two different sets of data resolve to the same hash, and while this is rare, it can be deadly. This would allow the attacker to generate a string of characters that is not your password, but still able to log in to your account since it generates the same hash.

Conclusion

Hashing algorithms are becoming more and more advanced. Mathematicians and computer scientists are constantly designing cryptographic hashing algorithms with lower probabilities of collisions. However, it is important to remember that no matter how strong the hashing algorithm is, it can always be cracked using a brute force attack. The good news is that you can easily defend against these attacks as well by simply following best-practice password policy.

  1. Size does matter – the longer the original password the less likely it will appear on a wordlist
  2. Do not be predictable – avoid using words like “password” and “myname123”
  3. Use a mixture of special characters, numbers, upper and lowercase letters

What’s your thoughts on hashing? Share your views in the comment below.

Image credit: Magnifying Glass Online Fingerprint byBigStockPhot

Follow YouTube Channels Easily With YouTube Video Deck

2026-02-01
There are approximately two bajillion videos on YouTube and staying up-to-date on a couple of channels could be difficult. YouTube Video Deck makes it easier and faster to follow YouTube channels.

What Is “UTM_Source” And Should You Be Worried?

2026-02-01
You may have seen URLs with a long string attached to the end of the link that looks something like this: “utm_source=facebook&utm_medium=fanpage&utm_campaign=new+article&wa_ibsrc=fanpage.” Should you be worried about the implications of this? We’ll have a look at what UTM is and answer any question you might have on this subject.

Don’t Want to Pay for Feedly? Feedspot Has You Covered

2026-02-01
Feedly is now the go-to service for reading RSS feed. However if you are not willing to place for the premium service, Feedspot can be an alternative.

What You Need to Know About Future Web Standards (That are Making the Internet Better)

2026-02-01
The Internet started 40 years ago and many things have changed since then. Let’s take a look at the future web standards and how they improve the Internet.

What Is the OpenSSL Heartbleed Bug and Why Should You Care?

2026-02-01
Things just don’t work the way they should in the Internet. Here are some things you should know about the OpenSSL “Heartbleed” bug and how it affects you.

What to Do When You’ve Been Hacked

2026-02-01
As of late, many people have been hacked and are the victims of password leaks and Trojan horse infections. The following are some tips if it happens to you

Big List of Tools and Services to Help You Read Everything Faster

2026-02-01
With the overwhelming information in the Internet, it has become necessary for us to read faster. Here are some tools to improve your reading speed.

Hands-on with Github’s Atom Text Editor

2026-02-01
The developers of Github decided to come out with its own text editor – atom. Let’s check out Atom text editor and see how it fares with other text editors.

How to Save Links Into a Google Spreadsheet in Chrome

2026-02-01
When you need to do research that’s heavy on citations, you can use Citable to quickly save websites’ link and notes to a Google Spreadsheet document.

How Facebook Scammers Use Disasters to Make Money from You

2026-02-01
Facebook scammers love to turn the misfortune of others into an opportunity to make a quick buck. Here are some of the techniques they use.

How to Clone and Migrate WordPress Sites the Easy Way

2026-02-01
Migrating your WordPress site? Duplicator allows you to easily clone and migrate WordPress sites without messing with a whole lot of complicated settings.

How to Copy Links as Plain Text in Firefox

2026-02-01
Do you just want to copy the text of a link, and not the link? Link Stun can disable links in highlighted text so you can copy them as plain text.