Encryption and hashing are fundamental concepts in computing for any type of “secret”, but you might not notice how widespread they are.
Passwords are the least secure method of login authentication, yet they are still widely used. Hackers can leverage compromised credentials for data breaches, account takeovers, ransomware, and other criminal activities.
Businesses that must use passwords should always use proven cryptographic tools to keep passwords secure, such as encryption, hashing, and salting, rather than trying to create their own from scratch.
What is encryption?
Encryption is a method of securing a password (plain text) by converting it, using a mathematical formula, into a scrambled version (cipher text). Encryption is a two-way function, which means that the original plaintext password that is encrypted in ciphertext can be returned to plaintext by decrypting it. Some authentication systems still require reversible passwords. Anyone with the right cryptographic key can take the ciphertext and invert it to reveal plaintext passwords, making them less secure. Protecting cryptographic keys is critical because a malicious actor with the key can unlock the cipher to recover passwords. A hardware security module (HSM) can perform key cryptographic operations and store keys in a way that prevents them from being extracted from the HSM.
Encryption can play an important role in storing passwords, and many cryptographic algorithms and techniques are available. For example, password managers use encryption to keep confidential data private. When a user needs a password, the password manager decrypts the ciphertext and inserts the plaintext password into the web browser form, because plaintext is the only format allowed by the Navigator.
What is hashing?
Hashing also uses an algorithm to transform a plaintext password into ciphertext that hides the actual password. Unlike encryption, hashing is a one-way function. If you take an arbitrary plaintext password of any length and run it through a hashing algorithm, it generates a string or hexadecimal number that is unique to the provided plaintext. The length depends on the algorithm used. Password hashes cannot be changed back to the original plaintext password.
The server stores a hashed version of the password. When the user enters a plaintext password, the system calculates the hash and compares the hashes. If the hashes are equal, the server is able to confirm the password and the user can access the system.
What is salting?
Just as you add salt to season your dish, a random string of characters (salt) is added to passwords to improve them. Each user is assigned a different salt, which is known only to the server, making them unique and safer. The salt can be placed on either side of the password. For example, adding salt to the password “Password” results in a salty password such as “4(j3Li95Password” or “Password4(j3Li95). After adding the salt, the combination of plaintext password and salt is then hashed, making it more secure than a hashed password alone.
Passwords alone are not sufficient for Identity and Access Management (IAM) and must be reinforced with other authentication methods as seen above. These functions happen in the background, without adding any hiccups to the user experience.