What Is Quishing?
QR code phishing, most commonly referred to as “quishing,” is a type of phishing attack that tricks users into scanning QR codes to steal personal information such as login credentials or credit card numbers. When a...
Hashing has a wide range of applications in cybersecurity, but its primary use is to “scramble” data so that outside parties can’t understand it if they intercept it. But what exactly is hashing, and why should you care about it? Read on to learn more.
Hashing is the process of mapping data to a predetermined length using an algorithm. This is known as a hash value (or a hash code, hash sum or hash digest). If you think hashing sounds a lot like encryption, you’re right. The approaches are similar, but the intended outcomes aren’t. The main difference is that encrypted data is intended to be decrypted at some point, which is why keys are used. In contrast, hashed data is never intended to be decrypted.
A hashing algorithm disguises text by running it through a filter that turns it into ciphertext, meaning an unintelligible string of random letters and numbers, with all strings usually being the same length.
Password hashing enhances security by ensuring that a server never stores passwords in plaintext; only the end user knows the plaintext value of the password.
Here’s a visual of how hashing works, using an MD5 hash algorithm:
Plaintext password: trustno1
MD5 hash: 5fcfd41e547a12215b173ff47fdd3739
Changing the password even just a tiny bit completely changes the hash. Observe what happens just by capitalizing the first letter of the password:
Plaintext password: Trustno1
MD5 hash: 44ec94bbfc520c644ce2748eb3bdef6d
That’s a completely different result, and all we did was capitalize one letter!
Hashing is a one-way process; hashed text cannot be decrypted, although cybercriminals can try to reverse-engineer the hash process; we’ll talk more about that below.
Although it’s far more secure for servers to store hashed passwords rather than plaintext, the hashing process does have limitations. A major limitation is that, if two users have the same password, they’ll also have the same password hash. Since many people use the same weak passwords, like “qwerty” and “password123,” this happens a lot, and it makes it easier for cybercriminals to attempt to reverse-engineer the hash algorithm.
Thankfully, there is a way to get around this problem: salting.
Salting is a process wherein the server adds a random and unique string of characters to a password prior to hashing it. This ensures that every password hash is unique, even if every user in the system has the same plaintext password.
Here’s a visual of how salting works:
User 1 plaintext password: trustno1
MD5 hash (no salt): 5fcfd41e547a12215b173ff47fdd3739
User 1 “salt”: lAt3i
MD5 hash (salt + trustno1): e49a19f5b3b1743ec9d8c13662a21892
User 2 plaintext password: trustno1
MD5 hash (no salt): 5fcfd41e547a12215b173ff47fdd3739
User 2 “salt”: wS>Zd
MD5 hash (salt + trustno1): 0caf49e6119c7629dbdf6776864de9b6
As you can see, even though both users have the same password, the salt ensures that they have completely different hashes, which makes it nearly impossible for cybercriminals to reverse-engineer the hash. For this reason, salting is a best practice when hashing passwords.
A hash collision occurs when two strings of text produce the same hash code. Returning to our previous example, if the passwords “trustno1” and “Trustno1” were to produce the same hash value, that would be a hash collision, and it would mean that the hashing algorithm isn’t secure. Security researchers devote a lot of time to finding hash collisions. In fact, the MD5 hash algorithm mentioned in our examples has a known high probability of hash collision, and it is therefore no longer used other than for non cryptographic purposes.
If such a collision occurs, cybercriminals can trick the computer into giving them access by logging in with a password that is similar to the original password to produce the same hash.
Hashing (and salting) passwords enhances cybersecurity by eliminating the need for servers to store users’ actual passwords. Even if a cybercriminal were to compromise the password list, they would get only a bunch of gibberish characters that are nearly impossible to decode. Using unique, randomly generated salts is a best practice to ensure that even if multiple accounts use the same password, the hash values will be completely different.
Keeper derives a 256-bit “Authentication Key” from your Master Password by using PBKDF2-HMAC-SHA256 and a random salt. From here, we generate an “Authentication Hash” by using SHA-256 to hash the Authentication Key. For users to log in, the Authentication Hash is compared to an Authentication Hash stored on the Cloud Security Vault.
Updated on December 9th, 2022.