Password Hashing

What is Password Hashing?

Digital access control systems must maintain records of user credentials (e.g. usernames and passwords) to effectively authenticate users and authorize access to secure systems. If these sensitive records were stored in plaintext format, any digital adversary gaining illicit access to the system of record could steal those credentials and either use them to improperly access secure systems or sell them to the highest bidder.

Password hashing is an information security technique that uses password hashing algorithms to transform a plaintext password into a cryptographic ciphertext - an unintelligible series of numbers and letters - before saving it in a database. If a security breach occurs after password hashing, any exposed passwords are unintelligible to the digital adversary and can’t be sold or used to access user accounts.

How Does Password Hashing Work?

Password hashing algorithms can be implemented as part of an access control system. 

When a user first creates a password for their account, that password is run through a hashing algorithm, converted from plaintext into ciphertext, and stored in a database.

When a user attempts to log in to the system using their access credentials, the password they provide is converted to ciphertext using the same password hashing algorithm. If this ciphertext matches the ciphertext password stored in the database, the user is authenticated and authorized to access the system.

A password hashing algorithm will convert a specific plaintext password into the same ciphertext every time, but even minor changes to the plaintext will produce a completely different ciphertext. Ciphertexts generated by the same algorithm will be the same length, regardless of the length of the password.

Password Hashing vs. Encryption: What’s the Difference?

The key difference between password hashing and encryption is reversibility. 

Password hashing is irreversible, such that a plaintext password that has been converted to ciphertext cannot be converted back to plaintext. This means that a digital adversary cannot convert ciphertext passwords back into their plaintext format, even if they know which password hashing algorithm was used.

Encryption is another cryptographic method that uses algorithmically-generated encryption keys to convert plaintext data (e.g. passwords) into ciphertext. But unlike password hashing, encryption is a reversible process. A digital adversary who obtains the relevant encryption key can convert encrypted ciphertext back into plaintext format, a process known as decryption.

What are the Benefits of Password Hashing?

Protecting Sensitive Data

Password hashing is often used to safeguard user credentials for online banking, email, credit, and other types of accounts. Password hashing ensures that the plaintext passwords for these secured systems remain hidden from digital adversaries in the event of a data breach.

Minimizing the Impact of a Data Breach

Without password hashing, a successful data breach could allow digital adversaries to penetrate hundreds or even thousands of bank, email, or credit accounts belonging to employees and/or customers of the targeted organization. From there, digital adversaries might attempt to steal financial resources or additional data, launch impersonation attacks, commit fraud, or engage in identity theft.

Password hashing helps mitigate the impact of a data breach by ensuring that digital adversaries don’t gain access to user credentials and launch further attacks that increase the cost of remediation and multiply damage to the target’s reputation/brand.

What is Password Salting?

A potential weakness of password hashing is its consistency. If the same plaintext password, run through the same hashing algorithm, produces the same ciphertext each time, then digital adversaries might be able to guess passwords using brute force attacks. This possibility can be mitigated with password salting.

Password salting is the practice of adding some additional random characters to a plaintext password before feeding it to a hashing algorithm and converting it to ciphertext. This use of randomization produces novel ciphertexts and makes it more difficult for adversaries to guess passwords using brute force or dictionary attacks.

4 Password Hashing Algorithms You Should Know

  • MD5 - The password hashing algorithm called MD5 (message-digest method 5) was created in 1991 and will convert a plaintext password of any length to a 128-bit ciphertext. This algorithm continues to be widely used, but is considered insecure by InfoSec experts as it is known to be vulnerable to a variety of collision attacks.
  • SHA Family - The SHA (secure hashing algorithm) family of cryptographic hash functions were published by the U.S. National Institute for Standards and Technology (NIST). SHA-0 and SHA-1 are less used due to cryptographic vulnerabilities. The currently-in-use SHA-2 and SHA-3 algorithms are considered secure against both collision and length extension attacks.
  • Argon2 - Argon2 is a key derivation function that won the 2015 Password Hashing Competition organized by a community of cryptographers and InfoSec experts. The algorithm was designed to resist brute-force and side-channel attacks, and has gained widespread adoption.
  • Bcrypt - Bcrypt is an adaptive password hashing algorithm, designed in 1999 and based on the Blowfish cipher. Bcrypt takes the password string, a numeric cost, and a 16-byte salt value, then computes a 192-bit ciphertext. The numeric cost can be increased to slow down the hashing function, making it more resistant to brute force attacks.

How Do Cybercriminals Defeat Password Hashing?

  • Brute Force Attacks - Even when passwords are saved in databases as unintelligible ciphertexts, adversaries can still gain access using brute force attacks. An attacker can determine which hashing algorithm is in use, generate ciphertext hashes using random passwords, and match those passwords to ciphertexts in the leaked database.
  • Rainbow Tables - A rainbow table is a password cracking tool that uses a precomputed table containing the outputs of a password hashing function to crack passwords. A rainbow table for a given algorithm might contain all the one-way hashes of passwords below a certain character-length (e.g. 7-8 characters). Digital adversaries can use rainbow tables to convert hashed passwords into plaintext and gain access to secure systems.
  • Social Engineering Techniques - Digital adversaries can deploy social engineering techniques like phishing, spear phishing, impersonation, pretexting, and scareware to manipulate individuals into disclosing their access credentials. The most common vectors for these attacks include email, social media, unsecured business collaboration tools, SMS text messaging, and other digital communication channels. 
    Successful credential theft attacks frequently leverage social engineering techniques in combination with malware, spoofed domains, and other technical tools.

Safeguard Your Organization’s Security Posture with ZeroFox

ZeroFox provides digital risk protection, threat intelligence, and adversary disruption services to dismantle external threats to brands, people, data, and assets across the public attack surface.

ZeroFox Email Protection automatically detects and alerts on phishing and other malicious emails, actively protecting your organization against credential theft attacks.

Ready to learn more?

Watch our on-demand webinar Keep Your Enemies Close: Playing Offense on the Dark Web to learn how digital adversaries are leveraging the dark web to deploy credential theft attacks - and how you can take action to protect your organization.