In the world of cybersecurity, a well-known concept is hashing, which is when a system uses an algorithm to modify a password before storing it or checking it against a stored password. It’s a powerful security tool. Let’s dive more into what hashing is and whether or not hashed passwords can be hacked.
How hashing works
Hashing performs a one-way transformation on a password, turning the password into a “hashed password.” You can hash passwords for security reasons. It guards against the possibility that an attacker gains access to a database and steals the passwords of every user in the system they’re hacking.
The hashing algorithm is like a machine. On your end, you input any text or data—usually password, and on the other end, the server gets a number that is a certain length. When a user account is created or a password is changed, the new password is typed in for the first time. The computer security application then takes that password and runs it through a hashing algorithm, storing the resulting number in a database.
When a user attempts to log in, the server takes the supplied password, performs a similar one-way hash, and compares it to the database. If the passwords match, the log in was successful.
Hacking a hashed password
Hashed passwords are a great way to fight off potential hackers, but it doesn’t make it impossible for them to gain access. If a system uses a properly designed algorithm to create a hashed password, chances of hacking are extremely low.
However, when a hacker steals hashed passwords in a database, they can reverse engineer the hashes to get the real passwords by using a database of words they think might be the password. If any of the hashes match what the hacker has in the database, they now know the original password.
To do this, they would have to have a very large database of words and hash each of them, then compare those hashes to the database they stole. It takes a long amount of time to do this, which helps deter most hackers.
Using an algorithm to create hashed passwords was a major breakthrough in security at the time. Now it’s expected of basically every system. If a hacker steals a user account database, they don’t automatically have every password; all they will have is a list of hashed passwords.