Hashes

Learn about hashes and how they work.

What is a hash?

First, we need to cover the basics. Hashing is not encryption. A hashing function calculates a fixed-size string from an input. Passwords should be one-way hashed. This means they are impossible to decrypt, making them “one-way.” There is never a need to display a password back to a user or admin. Once a password is entered, it becomes a hash that can be recreated only when the original password is given as input.

Popular attacks

Before discussing any further, let’s delve into popular attacks against hashing algorithms.

Lookup tables

A lookup table is a table of hashes where the password is known. It can be as simple as this:

password | hash
------------------------
pass1    | bidfb2enkjnf
pass2    | psdfnojn3nod
etc...

This is then compared against the password hashes in your database to determine the used password. This attack is useless if you are using random salts, but it’s easy if the hashes aren’t salted.

Rainbow tables

A rainbow table is technically more sophisticated but similar to a lookup table. It is a less memory-intensive way of achieving a lookup table through mathematical means. You can think of them interchangeably when mentioned here. Rainbow tables are also thwarted by random salts, so they are less relevant due to the onset of modern hashing algorithms.

A rainbow tables attack is a very complex exploit that is really out of the scope of this course to explain. If you want to learn more, you can read the original paper published by Martin Hellman that introduces the concept.

Get hands-on with 1400+ tech skills courses.