Today we are going to discuss different password hashing methods in this article.
What is Hashing?
The process of applying mathematical operations to text to give a string of characters of fixed length as output is called Hashing and the output is called a Hash.
There are many kinds of algorithms that can be used for hashing and they are called Hashing Algorithms.
The most commonly used hashing algorithms are MD5 and SHA-2.
Let’s apply the hashing algorithm MD5 to four text strings
zerosecurity | fba6cc1cf113518fa7660cb83b51f679 |
zerosecurity.io | e4ad8fc272b77f12fee5167c465babaf |
zerosecurity | fba6cc1cf113518fa7660cb83b51f679 |
a | 0cc175b9c0f1b6a831c399e269772661 |
Now let’s break down the results:
1. Second input just has one extra .io at the end but look at the hashes of the first and second inputs, they are totally different. They have nothing in common at all. It means that even changing the input slightly the hash value gets changed greatly.
2. The fourth input is the same as the first one and so is their hash value. So two same text strings will give the same hash value and two different text strings can not have the same hash value.
3. The last result has a single character as input however, the resulting hash still has 32 characters because MD5 is 32-bit in length. Even if we give 100 characters as input the output will be 32 characters.
Why hashing is needed when we have encryption?
The encrypted data can be decrypted using the key. So if your key is exposed to someone your whole data is at stake. So encryption is bad for security, right? No. Encryption has its own purpose, it is used when data needs to be decrypted too. Who wants to send a message if the receiver has no way to know what the message means? Yes, this is why decryption is essential.
But modern hash algorithms are impossible to decrypt. Actually, there is nothing like “Decrypting a hash”, we can’t decrypt it because the algorithms used are very complex. Take a look at the WikiPedia entry for MD5 to see how MD5 works.
But hey! it’s like locking your money and then throwing away the key. Who wants to do that?
You will get your answers soon, just keep reading.
Let me introduce you to my friend’s computer which runs on Windows 7. My friend secured his computer with a password. Now if he tries to log in, windows will ask him to enter the password.
The password must be stored somewhere, in the case of windows 7 it’s stored in a file called SAM (Security Accounts Manager) file which is located in C:\Windows\System32\config.
The password is stored in hashed form, hashed with a hashing algorithm named NTLM.
But hey I previously said that if a text is hashed once it can not be decrypted. Well, that’s true, even windows don’t know what is the password. Interesting…isn’t it?
Well, let’s see what happens when someone enters a password.
Step 1. Windows applies the NTLM hashing algorithm to the text entered by the user
Step 2. Now windows have the hashed form of the input
Step 3. Windows compares this hash to the hash stored in the SAM file. If the hash matches the password entered by the user is correct and he is allowed to access the computer.
If the hash is different, access is denied.
This is why passwords are stored in hashed forms. Even if someone gets the hash of the password, there is no way to decrypt it.
So hashes are completely secure …wait bro! Don’t jump to conclusions.
I said we can’t decrypt it, but we can crack it. Now, what’s cracking?
We will learn that in the next article.