What is password hashing?

Lukas Grigas
Cybersecurity Content Writer
cover password hashing

The past few years have not been great for information safety. Data breaches seem to make the headlines every other day. So it's no wonder that reports about serious security weaknesses in some of the biggest tech companies worldwide are coming out every other week.

Back in 2019, two tech giants admitted to major security flaws in their systems. Facebook admitted that it stored millions of Instagram users' passwords in plain text. A few months later, Google revealed the same about their G Suite users. But why is it such a big deal to keep passwords in plain text? And how should they be stored?

If passwords are kept in plain text, anyone with internal access can see them. Not to mention that if the database gets breached, hackers would also see the credentials in plain view. So any company that follows at least basic security practices will never actually keep your passwords in plain text.

Instead, your password is converted into a complicated string of characters using password hashing algorithms. Then, when you're logging into your account, the hashed password is compared to other hashes in the company's database. If the password hash matches, you're granted access to your account.

But how does hashing work exactly? Hashing is a one-way function to scramble data — it takes readable text and transforms it into a completely different string of characters with a set length.

However, unlike other encryption algorithms that transform data, hashing is nearly impossible to revert. So if hackers get a hold of a database with hashed passwords, hash decoding is a futile task. Nonetheless, there are other ways for cybercriminals to find out the original password.

inner asset password hashing

Cracking the hash

The biggest problem with password hashing is that if you run a specific word like “green” through a hashing algorithm, the hashed outcome for that word will always be the same. So let's say cybercriminals get hold of a database with hashed passwords. No one's stopping them from guessing millions of passwords and running them through the same algorithm to see what the hash for a specific word looks like.

These days hackers no longer rely on unsophisticated brute force attacks. They have now upped the sophistication in their approach and employ a stealthier and more devious strategy known as “dictionary attacks.” Rather than randomly trying to guess the password, they leverage predictable combinations and frequently used words, like “password123,” to crack passwords.

Some hackers have taken things up a notch by utilizing a cutting-edge technique called “rainbow tables.” These are essentially precomputed tables of hash values for commonly used passwords and combinations, making it a breeze for them to swiftly crack even the most complex password hashes. It's like they have a secret key, and they're not afraid to use it.

Strong vs. weak hash

That's why there are different types of hashing. For example, hashing algorithms like SHA-1 and MD5 are widely considered to be outdated and not so difficult to crack. More recent algorithms like bcrypt and SHA2 are more secure, but are still vulnerable to certain types of attacks. These days, the recommended algorithm for password hashing is Argon2id, which is built to be memory-intensive and computationally expensive, making it highly resistant to common types of brute-force attacks. Argoin2id may hash the password just a few times. However, due to the complexity of its operations Argoin2id is considered to be a more secure option than the PBKDF2 algorithm, which runs thousands if not millions of simple hashing iterations. That's why NordPass uses Argoin2id to hash credentials when you're logging in — it's one of the safest hashing algorithms out there.

To make the hashing process even more secure, there's seasoning, or more precisely “salts” and “peppers.” “Salts” are random strings of characters that are generated and added to the password before it is hashed. The purpose of the salt is to further make the hashing process more complex, which by extension makes it even harder for potential attackers to use “rainbow tables” or precomputed hash databases to crack passwords. In most instances “salts” are stored in a database along the hashed password.

Similarly, “pepper” is a secret value that is added to the password before the hashing process. However, unlike “salt,” “pepper” is usually hardcoded into the system that performs password hashing, which makes it even harder for potential attackers to crack the password.

Limitations of hash functions

There are a few limitations for hash functions, such as hash collisions. It's when two different inputs have the same hash output. However, the probability of a collision in most hashing algorithms is exceedingly low, especially in modern functions, so it shouldn't be a big issue.

Bottom line

In conclusion, you can't always tell how strong the function used by your service provider is, so be sure to use strong passwords. You can generate a secure password with the NordPass password generator. Yet, as the Google and Facebook cases show, sometimes your credentials are out in the open in plain text, so be sure to never duplicate your passwords as well. We understand that remembering all those passwords is nearly impossible, so you can always use the NordPass password manager.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.