Hashing happens to be a cryptographic process that validates and integrates the various forms of input. It is part of the authentication system that avoids plain text in databases. Even it is known to validate documents, files along with other types of data. If the hashing algorithms are not properly used it can lead to serious forms of data breaches. Not resorting to the use of hashing for securing sensitive data is an offense in the first place.
Hashing functions and their comparison with encryption
As discussed earlier hashing is a one way cryptographic function where encryption tends to be a two way process. The latter takes an input along with a secret key and a random looking output in the form of cipher text is developed. Such an operation is irreversible. Anyone who is aware about the original secret key, could decrypt the cipher text, and the original input can be read.
Hashing functions are not reversible. The output of any hashing function is a fixed length of characters termed as hash value, digest or it can be simply a hash. Their intention is not to keep it a secret, as it is possible to convert them back to their original values. But a vital property of a hashing function is when it is hashed, the unique input would result in the same hash value. If a couple of inputs do have the same hash value, it is termed as collision. Though it is easy to locate a collision, the hash function is rated to be broken from a security point of view.
Hashing can be compared to encryption, where a strong password inside a database exists. If there is any form of compromise the attackers do not gain access to plain text passwords and there is no definite reason for the website to be aware about the plain text password. If one has received these notes, be aware that the representative is not going to ask for any form of a password. This could be from various companies and a part of the reason is simply they do not. There is no use of it since they are not going to use your password as there is a non- reversible cryptographic presentation of the password that is the hash value.
A feeling is that companies who have to cope up with security breaches needs to deal with the term encryption that is part of the public disclosures. They provide advice to the customers that the passwords are secure and encrypted. One of the reasons is that the general audience is not familiar with the term of hashing, so the PR department is looking to avoid any type of confusion. It would make it difficult for an outsider to observe possibility of a breach. The reason being if the passwords were truly encrypted, then the risk is on the higher side and if they were hashed the next question might be was the encryption key also compromised. Is it possible to use the encryption key rather than hash words to happen.
Encryption is something that you have to edge cases, where you do need to obtain the general password. If there is an ability to decrypt passwords it does go on to pose a serious form of a security risk, so it needs to be assessed properly. A possibility is an alternative architecture is to be developed so there is no need to be storing passwords in an encrypted form.
Hashing and their use of authentication
In an authentication system, a user develops a new account, and the chosen password can be input. The application code would make the password through the hashing function and the results are stored in the system. If a user is looking to authenticate later, the process would be repeated and the result is being compared to the value of the database.
Suppose if the user forgets the password, as part of the password recovery process there is a need to verify the identity. It is done by usually taking ownership of the email, that was used to create a password account, via an email. The user can set up a new password and hence a new password in the dashboard occurs. If as part of the old password recovery process, it means the older password would be to send to the user via an email, and in the browser it is displayed. Platforms like appealing will give you an idea on their own.
Even if you use hashing, a developer could make an implementation error. It can be in the form of a hashing function which is insecure and would be vulnerable to brute force attacks. Such hashing schemes turn out to be popular but have gone on to depreciate are SHA- 1 and MD5.
It is possible to implement hashing functions in the form of multiple iterations or passes. The hashing algorithm is undertaken for each password. This is also referred to as the work factor and the goal would be to make it computationally intensive to crack down the brute force methods. While the higher work factor enhances security, the hashing function tends to become computationally intensive or longer as the algorithm is repeated several times.
For an ideal work factor there is no golden rule to follow. It is dependent upon the server performance, as there are various number of users in an application. This is dependent upon the optimal work factor as it would depend upon the implementation of the specific server that is used by an application. A general rule is that arriving at the value of a hash will take less than a single second, so on high end traffic sites it would be less than the same.
A better practice of a secure form of password storage is to combine very password with a series of random generated characters termed as hash and then arrive at the result. The salt is something that is unique for every user.