If you‘re reading this blog, there‘s a very good chance that you‘ve searched for some information on dehashing a password. What is password dehashing? Is it possible to “dehash“ a password in the first place? Why are passwords hashed to begin with? This is what we‘re figuring out in this blog post.
What Is a Hash?
Starting off, we should probably learn what a hash is in the first place. Hashing a string is the process of transforming the string into another value. That‘s all it is – some might say that hashing is simply the process of „passing some data through a formula“ which in the end produces a result.
Everyone knows what a hash looks like:
All of the aforementioned hashes are of a different type – the first hash is of MD5 type, the second one is SHA1, and the third one is BCrypt. There are many different types of hashes available for use – starting from these defined and moving downwards towards hashes unique to a specific system, for example, vBulletin, MySQL, MyBB, Joomla, Atlassian, macOS, Redmine, and others. To see all of the available hash types, head over to Hashcat, but by now you should get the idea of what a hash is and when it‘s used.
Hashing != Encryption
One important thing to note, though, is that hashing is not encryption meaning that all hashes, as such, aren‘t reversible. Hashes cannot be decrypted, but they can be „cracked.“
Cracking a hash is essentially comparing a hashed value of text to the actual hashed value with an aim to see if the two values differ or if they are the same. In case the values are the same, the hash is considered to be „cracked“ – if they differ, the hash remains being an „uncracked hash.“ There are entire communities that hoard servers dedicated to just that – to password cracking – and the servers are then put to use in law enforcement investigations or to assist a company or a specific individual. As there are many use cases of hash cracking, there are many use cases of hashing, too – the most frequent use case is to hash passwords to protect them from prying eyes in case of a data breach or when complying with a specific privacy regulation (think GDPR and the like.)
Hashing to Protect Passwords
Password hashing is a very important practice in the information security world – if our passwords are securely hashed, an attacker cannot recognize their plain-text value by simply glancing at the hash, and even if the nefarious party tries cracking it, safe hashing algorithms (think BCrypt or Blowfish) will still reliably protect our secrets. Sure, some hashing algorithms are weaker than others – security experts wouldn‘t recommend using MD5 to protect our passwords due to the fact that this algorithm is easy to crack and is considered to be outdated – but some algorithms – like BCrypt and Blowfish – still hold their salt.
Salting a password hash is the practice of adding additional randomly generated strings at the end of the password hash, after a colon („:“) Salted hashes look like so:
You get the idea. The whole purpose of salting is to make the cracking of huge volumes of password hashes harder for an attacker – contrary to popular belief, salting doesn‘t do anything when a single password hash is being attacked, however, if the attacker is targeting hundreds, or even thousands, of those password hashes, we will certainly see a significant difference.
If you are considering whether to salt your password hashes or not, keep in mind that the bottom line of everything is this – hashes make passwords unrecognizable and in many cases hard to crack for an attacker, while a salt will make an attacker‘s job harder if he‘s attacking multiple password hashes at once.
Password Hashes and Data Breaches
As a data breach search engine, we certainly see a lot of data breaches; some data breaches, surprisingly, involve plain text passwords (did we tell you that there are entire websites dedicated to naming and shaming services that store passwords in plain text?), but some involve password hashes and, in some cases, password salts too. Over the years, we have certainly seen a lot of improvement in this scene, however, people still need to step up – if you are considering building a service where you allow people to register or login, consider using safe and slow password hashing algorithms like BCrypt or Blowfish (preferably with a salt) to be on the safe side.
However, not all businesses that fall prey to data breaches are operating on the safe side – some hash their passwords with a weak function lke the aforementioned MD5, while some don‘t hash them at all. And while password hashing isn‘t the solution to absolutely all security problems threatening the company, it can at least let you make sure the data of your customers is as safe as possible.
Password hashing is a good start, but in order to make sure that there are no threats of identity theft waiting for you or your company next door, consider implementing an API that lets your company scan through data breaches and ensure that your staff is safe both day and night. When using BreachDirectory, your company will significantly lessen the risks of data breaches and identity theft allowing you to sleep soundly.
Password hashing is an extremely important part of today‘s security landscape both on the web and elsewhere – hashed passwords provide an additional layer of protection for everyone involved: developers and the managers of the company whose application hashes the passwords can rest assured that appropriate privacy regulations are being followed, and security experts and customers of the business alike can be happy about another business that is taking their security seriously. Make sure to run a search through data breach search engines like the one built by BreachDirectory to assess your likelihood of being exposed in data breaches and implement an API into the infrastructure of your company to have the ability to scan the data of your staff and, preferably, your customers through data breaches alerting them of any anomalies, and until next time!