Password hashing is a technique to protect sensitive user passwords by converting them into hashed representations that are difficult to reverse. It’s a one-way mathematical function that takes an input, a password in this case, and produces a fixed-size string of characters called a “hash.” The resulting hash is unique to the input, meaning that even a tiny change in the password will produce a significantly different hash.

Password hashing is comparable to wearing a disguise. With its help, pretty much no one else would recognize the costume wearer.

Read More about Password Hashing

Password hashing disallows attackers from quickly obtaining passwords stored in a database.

How Does Password Hashing Work?

Here’s how the password hashing process typically works.

  1. User registration: A user creates an account and sets a password that gets passed through a hashing algorithm.
  1. Salting: A randomly generated value called a “salt” gets added to a password, which is later stored alongside a hash. It adds an extra layer of security and ensures that even if two users have the same password, their hashed passwords will be different.
  1. Hashing: A hashing algorithm, such as bcrypt, PBKDF2, or Argon2, gets applied to the password. This algorithm is specifically designed to be slow and computationally expensive, making it difficult and time-consuming for attackers to crack a hashed password.
  1. Storage: The hashed password and the salt are stored in a database. The original password isn’t stored, providing an additional layer of protection in case the database gets compromised.
  1. Verification: When a user attempts to log in, the password he/she enters gets hashed with the same algorithm and salt, and the resulting hash is compared to the stored one. If they match, the password is considered valid.
Password Hashing Process

Why Is Password Hashing Important?

Password hashing disallows hackers from deciphering passwords even if they gain access to a database. They would need to perform a brute-force or dictionary attack to uncover the original passwords. The computational effort required for such attacks is significantly higher than obtaining passwords stored in plain text.

What Are the Most Popular Password Hashing Techniques?

Today’s most popular password hashing techniques are bcrypt, PBKDF2, and Argon2. These algorithms are widely recognized and recommended to hash passwords securely. Here’s a brief overview of each technique.

  • bcrypt: bcrypt is a widely adopted password hashing algorithm that incorporates the Blowfish symmetric encryption cipher. It’s designed to be computationally expensive, making it resistant to brute-force attacks. It automatically handles the generation of a random salt and includes it as part of the resulting hash. The algorithm enables adjustable work factors, allowing you to increase the computational cost over time as hardware improve.
  • PBKDF2: Password-Based Key Derivation Function 2 (PBKDF2) is a key derivation function that uses a pseudorandom function, such as Hash-Based Message Authentication Code (HMAC), to generate a hash. It applies multiple iterations of the hashing process, making it more time-consuming and resource-intensive for attackers. It also incorporates a salt to prevent precomputed hash attacks. However, it’s generally considered slower and less secure than bcrypt or Argon2.
  • Argon2: Argon2 is a newer, more advanced password hashing algorithm that won Password Hashing Competition 2015. It’s designed to be memory-hard, thus requiring a significant amount of memory resources to compute the hash. That makes it resistant to brute-force and graphics processing unit (GPU)-based attacks. It has three variants, namely:
  • Argon2i: Optimized against time-memory trade-offs.
  • Argon2d: Optimized for side-channel attack resistance.
  • Argon2id: A hybrid of the two variants above.

Argon2 also incorporates a salt, making it more secure against rainbow table attacks.

Sample Password Hashing Outputs

Here are sample hashed passwords using the three most commonly used algorithms today.

bcrypt

Plain password: MySecretPassword

Salt: $2a$12$abcdefghijklmnopqrstuu

Hashed password:

$2a$12$abcdefghijklmnopqrstuuRM56G/Rtw6J8sxXW0t8LOvRlR/K

PBKDF2

Plain password: MySecretPassword

Salt: a1b2c3d4e5f6g7h8

Iterations: 10,000

Hashed password:

ba4ca7de0f14d11ec3ef38fb982727fefcdccf68023d2c3171a8eb1b72b91b9c

Argon2

Plain password: MySecretPassword

Salt: a1b2c3d4e5f6g7h8

Iterations: 10

Memory: 65,536 bytes

Parallelism: 4

Hashed password:

$argon2id$v=19$m=65536,t=10,p=4$a1b2c3d4e5f6g7h8$V3RAl1wW1k0CfF0DAoRLa+HQ5wMBCLtVvEt8fLDo0gA

Note that the specific output format may vary, depending on your library or implementation, but these examples show the general structure of hashed passwords using the algorithms.

Password hashing makes it harder for attackers to obtain passwords that they typically use for personal information and identity theft.

Key Takeaways

  • Password hashing protects sensitive user passwords by converting them into hashed representations that are difficult to reverse.
  • Password hashing is a one-way mathematical function that takes an input and produces a fixed-size string of characters or a unique hash. Even a tiny change in the password will produce a significantly different hash.
  • The password hashing process involves user registration, salting, hashing, storage, and verification.
  • bcrypt, PBKDF2, and Argon2 are today’s most popular password hashing algorithms.