Tech 101: Password Hashing

Password hashing is a way a web site can store your password to keep it safe.

Password hashing is a way a web site can store your password to keep it safe.

Sooner or later a web site you’ve used is going to get hacked, their user data stolen, and your information exposed to the world. If your password is sitting there in plain sight – “password1234” – the hackers can combine it with your email address to try to log into bank accounts, Facebook, or anything else out there.

This is where password hashing comes in. The web site takes a password like password1234 and run it through a complex set of rules, which mixes it and mashes it into something like e6b6afbd6d76bb5d2041542d7d2e3fac5bb05593. This is called a hash.

You can think of a hash as your password’s fingerprint. Even if you change it a little bit, say to password1235, the hash ends up being super super different – 62f923cde8109b61a324f0677d7c0cafdb9e6480. Sites store this information instead of your actual password.

Checking password hashes is a lot like checking a criminal record. When the police bring you in for questioning, they don’t run you through a head-to-toe scanner and keep a copy of your body hanging around. They just take your fingerprints! If you show up again and they find your fingerprints in their system, they can be pretty sure that they know who you are.

It’s the same thing with password hashing. When a site asks you for your password – password123 – they store the hash in their database as e6b6afbd6d76bb5d2041542d7d2e3fac5bb05593. Then, next time you give them your password – password1234 – they hash it, get e6b6afbd6d76bb5d2041542d7d2e3fac5bb05593, and look it up in their database. If it matches, you’re in! If you gave them password1235 instead, the hash turns out to be 62f923cde8109b61a324f0677d7c0cafdb9e6480, and it’s a no go.

The best part about hashes is that they can’t be run backwards. In the same way that you can’t recreate an entire person from a fingerprint, you can’t recreate a password from a hash. That way when someone steals that database full of user information, you’ll be safe and sound!

Cocktail Party Fact

One weakness of hashing is that the same passwords are always the same hashes. Anytime a hacker comes across e6b6afbd6d76bb5d2041542d7d2e3fac5bb05593 they might know it’s password1234 if they’ve seen it before. Hackers have big big lists of common passwords and their hashes called rainbow tables.

Something called salting can keep you safe, though. When I first store your password, I plop a few random letters and numbers onto the end – password1234JNFD – and hash that. Every time I check your password in the future I add those little extra letters before I hash it, so even if you picked a common password, salting turns it into a new, uncommon word that hashes to a different value. You have password1234JNFD and I have passwordKJRF and we’re all safe.

The recent theft of LinkedIn’s user database is a good example of when salting comes in handy!

Author Image

Adda Birnir

Adda Birnir is the founder and CEO of Skillcrush. She was named one of 20 Women to Watch in technology by the Columbia Journalism Review, has been featured by Fast Company and the BBC, and serves as a member of the New York City Workforce Development Board. Adda is a graduate of Yale and lives in Queens with her husband and two sons.