Password hashing is a security measure often used to convert a plain text password into a seemingly random string of letters and numbers. The theory behind this security measure is that, if a website’s database of hashed passwords is hacked, data stolen from the database cannot be used to access client accounts. Unfortunately, this is not always the case.
When you create an online account, you are most often asked for a username and password. The username (or an email address) is known as the identifier, while the password is known as the authenticator. The identifier and authenticator are saved as a pair by the website so your identity can be verified whenever you next attempt to log into the account.
Saving usernames and passwords in plain text is risky. This applies whether you are an individual with a couple of dozen online accounts, a business with hundreds of corporate logins, or a website with thousands of clients. If a hacker gets hold of an identifier and authenticator saved in plain text, they can use them to fraudulently verify the user’s identity and access their account.
How Password Hashing Works
Many websites hash passwords at the point of account creation using an algorithm that converts plain text into a seemingly random string of letters and numbers. The password is saved in the website’s database in its hashed form so that, if the database is hacked, the random string of letters and numbers bears no resemblance to the actual user’s password.
Whenever a user logs into their account, their password is hashed using the same password hashing algorithm and compared to the “hash” stored in the database. If the two hashes are identical, the login is successful. The process of comparing hashed passwords takes milliseconds, and users are completely unaware their password is theoretically protected by the hashing process.
Password Hashing is Not Random
Hashed passwords are seemingly random strings of letters and numbers because that is the way they appear. However, provided you use the same password hashing algorithm, the same input will always produce the same hashed output. For example, using the MD5 hash generator, the password “washington2022” will always produce the hash e4327e5e9d2417c85b9aafad8af7dd39.
There are dozens of different password hashing algorithms – some more complex than others, while others are “CPU-hardened”, which means it takes longer for hackers to extract meaningful data from hashed passwords. However, the majority of websites use either the MD5 hash generator or the SHA family of hash generators to convert plain text passwords into hashes.
Where the Theory Falls Down
The theory that password hashing prevents data breaches falls down on several levels. Firstly, not all websites hash passwords but store them in plain text. It has been estimated that 30% of websites store passwords in plain text (there is a list of offenders maintained on GitHub) and, in the past, hackers have extracted plain text passwords from sites such as Facebook, LinkedIn, and Vodafone.
It is also the case that many people use the same password for different accounts. Consequently, if two databases are hacked – one storing plain text passwords and the other storing hashed passwords – hackers can work out which hashes relate to which passwords by comparing usernames. Over time, this has enabled hackers to create “rainbow tables” that convert hashed passwords into plain text.
Rainbow tables are freely available on the Internet, and some have been built into online conversion tools to reverse engineer hashing algorithms. Consequently, password hashing on its own is no longer the security measure it was intended to be and, as a result, some websites have increased the complexity of the password hashing process by salting or peppering passwords before hashing them.
How To Best Protect Online Accounts
Because it is impossible to tell if a website hashes passwords or not – or whether it salts and peppers password hashes to prevent reverse engineering – businesses and individuals are advised to take responsibility for the protection of online accounts wherever possible by adding a second layer of authentication to the login process via two-factor authentication tools.
Two-factor authentication tools come in different formats. You might be emailed a One-Time Passcode (OTP) or receive one by SMS text. Alternatively, there are many authenticator apps that generate Time-based One Time Passcodes (TOTPs) and these have the benefit of preventing man-in-the-middle attacks attributable to SIM swaps, SS7 interceptions, and other vulnerabilities.
The best types of two-factor authentication tools are physical tools such as YubiKey, SoloKey, and Nitrokey. The “keys” are plugged into devices and generate codes to confirm users’ identities at the push of a button. They have the advantages of preventing loss of access to an online account due to the loss of a mobile phone and eliminating delays between entering a password and receiving an OTP or TOTP. Ultimately, these are far more effective security measures than password hashing.