Cyber security: Hashed passwords

Hashing scrambles data, it changes normal, understandable text and makes it an entirely different, random set of characters with a pre-set length.

Why we can’t tell you your password

Everyone has forgotten their password at some stage. Our support desk regularly receives requests to let someone know what their password is.

For security reasons we don’t keep a copy of passwords and we can’t look it up on the database for you, the best we can do is reset it for you and prompt you to change it to something only you know.

So if you think that the IT team has a big list of everyones passwords which we can dip into at any time, then you can rest easy. Here’s why:

Hashed passwords

Hashed passwords were invented by Robert Morris in the early 70’s. Robert was a cryptographer working for Bell Labs, this is where he would come up with ‘hashing’.

The system Robert made to store hashed passwords was used as part of the Unix operating system. 

A hashed password is when a password is turned into a unique, intricate string of characters using a hashing algorithm. Once a password is hashed, it will be compared to the other hashed passwords in the database it is stored in. If the hash matches, you are let into your account.

An extra layer of security

Passwords are hashed as it adds an extra layer of security for every user account. Big companies like Meta and Google stored passwords in plain text, this is dangerous because anyone that has internal access can see all of the passwords stored in the database.

If a hacker got into the database, they could take all of the passwords without issue, but with hashed passwords, the hacker would have a bunch of random characters.

Hashing scrambles data. It changes normal, understandable text and makes it an entirely different, random set of characters with a pre-set length. Hashing is extremely difficult to crack which is why it is a preferred method of protection.

The largest issue with hashing is that certain words after being hashed will always be the same.

If a hacker gets into a database with hashed passwords, then it would be possible for them to guess passwords and put them through the same algorithm to check what certain words look like once they’ve been hashed.

What can be done to stop this?

There are different hashing types. For example, the different hashing algorithms: SHA1 and MD5 are outdated hashing methods and would be easier to hack. However, bcrypt, SHA2 and Argon2 are used now.

These methods will hash the passwords thousands of times to make sure that no one can crack the original password. Hashing is even more secure now as there are ‘salts’ and ‘peppers’.

‘Salts’ means that some random characters are added to your password without you knowing, after this they will be hashed.

‘Peppers’ are quite similar to ‘salts’, however, both the password and the ‘pepper’ are hashed together. 

Collisions

There are some issues with hashing, one of which is hash collisions. A hash collision happens when two different passwords have the same hashed password.

This is, however, extremely unlikely to happen with the newer methods of hashing and is not something to worry about.

It’s still important to take precautions when making a password as you won’t always know how good the functions used by your service provider are.

Remembering passwords can be a difficult task as well. Instead of allowing Google to save your password, you should instead use a password manager.