Before I introduce you to what this blog will be about, lemme ask you a question? How many times have you done the reset password or forgotten password option while logging into some application? At least once, right? Well, now, Hello there! Here in this blog, we will look into how the whole business of password saving, verification, and reset works. And the main idea behind this is one of the core data structures, Hashing. So buckle up while I explain Hashing and how this helps protect your password.
What is Hashing?
The most straightforward explanation of hashing is that it’s a process of converting a string of characters, a.k.a key, into another value. A hash function is a powerful data structure that maps and converts any arbitrary-sized values into a fixed-length value. These values are called hash values and are mapped, organized, and stored in a table known as a hash table.
There are multiple hashing algorithms or hash functions, and a few of them are SHA-1, SHA-2, MD-5, RIPEMD, and so on. All these algorithms function differently from each other, and the output you get from each will change according to the algorithm. But the end goal of all these algorithms/functions is the same – converting your plain text into a hashed text.
Fundamental Features of Hash Functions
Every hash function needs to have a few requirements, but the most important ones are the following.
- Pre-Image Resistance (irreversible): This property is equivalent to the one-way functionality and means that it must be impossible to reverse the hashed text. This is the property that will protect your password from being stolen by an attacker.
- Second Pre-Image Resistance: By this property, you can ensure the uniqueness of the hash. No two different string inputs should give you the same hashed output.
- One of the other important features is that when the exact string is passed through a particular hash function, it should always produce the same hashed output.
How can we store passwords?
Now that you know the basics of hashing, let’s understand how this is implemented to secure our passwords and information. Before we understand how the passwords are hashed, let’s analyze two other ways of how companies can save your passwords.
Plain text: Of course, passwords can be stored as plain text in the database. But this is the most vulnerable way of doing so because anyone who has access to the database can see their user’s password, violating privacy. If you think any company would not store the passwords like this, you’re entirely wrong. In the past, it’s been proved that even multi-million dollar companies were storing their user’s passwords as plain text.
Encrypted ones: The next secure way is to encrypt your passwords. So whenever your password is encrypted and stored, there’s a particular key that will be required to decrypt them as well. And as long as the attacker can’t get hold of your key, your passwords are safe. But this isn’t the safest way of doing so, hence, the password hashing.
How does password hashing work?
Keeping in mind all the fundamental requirements of a hash function, let’s now get into unraveling this and figuring out how secure your passwords are really. So the first process that goes in the password hashing is, of course, hashing your password.
Let’s take the first time you create an account in an app or website, so you will be prompted to create a strong password. The input, a.k.a the password that you enter, is then passed through a hash function, and then this hashed value is stored in the table. You will have to re-enter the password to confirm that the input string and the hashed output are the same.
But then you might be thinking that since the hashed output is irreversible, how will the app validate me the next time I enter the password? This is where this feature (One of the other important features is that when the exact string is passed through a particular hash function, it should always produce the same hashed output.) comes to use. So when you try to log in again, the password you enter is passed through the same hash function and is cross-checked with the hashed output stored in the database. If both the values are the same, the system allows the user to log in, otherwise nu-uh. So what happens when you forget the password is that you will be sent an email with a link to reset your password. And using this link, when you reset your password, you save the hashed output of the new password in the database. And then voila, you can log in again.
If this piques your interest in the concept of Hashing, we’ve got you covered. Check out our video on Introduction to Hashing on our YouTube Channel, and find tons of similar informative content.