Password hashing is the practice of converting a user's plaintext password into a fixed-length, seemingly random string using a one-way cryptographic function. Unlike encryption, hashing is intentionally irreversible. When a user logs in, the application hashes the submitted password and compares it to the stored hash rather than ever storing or comparing plaintext passwords.
How It Works
A hashing algorithm takes the password as input and produces a digest, a fixed-length output that acts as a fingerprint of the original value. Modern password hashing algorithms like bcrypt, scrypt, and Argon2 are specifically designed to be computationally expensive, making brute-force attacks impractical. These algorithms incorporate a cost factor that controls how many iterations or how much memory the function requires, allowing defenders to scale the difficulty as hardware improves.
Salting is a critical companion to hashing. A salt is a unique random value generated for each password before hashing. The salt is stored alongside the hash and ensures that two users with identical passwords produce different hash values. Without salting, attackers can use precomputed rainbow tables to reverse common password hashes almost instantly. With unique salts, each hash must be attacked individually, dramatically increasing the time and resources required.
The choice of algorithm matters enormously. General-purpose hash functions like MD5 and SHA-256 are designed to be fast, which makes them poor choices for password storage because attackers can compute billions of hashes per second. Purpose-built password hashing functions deliberately slow down computation, with Argon2id currently considered the strongest option because it resists both GPU-based attacks and side-channel attacks.
Why It Matters
Weak password hashing is one of the most common findings in security assessments. When a data breach occurs, properly hashed passwords buy users time to change their credentials before attackers can crack them. Applications using MD5, SHA-1, or unsalted hashes put every user account at immediate risk the moment the database is compromised. Implementing strong, salted password hashing with an appropriate cost factor is a fundamental security requirement for any application that handles user authentication.
Need your application tested? Get in touch.