Encryption vs. Hashing vs. Salting - What's the Difference?
Encryption and hashing are foundational concepts in computing for any type of “secret,” but you might not notice how prevalent they are. For the purpose of this blog, we’ll focus on encryption, hashing and salting for passwords. Passwords are the least secure method of logon authentication, but are still widely used. Bad actors can exploit compromised credentials for data breaches, account takeover fraud, ransomware and other criminal activities.
Hashing and encryption are both ways to keep data safe, but have different functions. Password encryption is used when the plaintext must be recovered for any reason. Password hashing is typical on the server side when the server operators don't need to know the plaintext, they just need to demonstrate that the user knows the plaintext. These functions take place in the background, as does salting, without adding friction to the user experience.
Enterprises that must use passwords should always use proven cryptographic tools for keeping passwords safe rather than trying to build their own from scratch. Read on to learn more about encryption, hashing and salting and how they are used.
What is Encryption?
Encryption is a method for securing a password (plaintext) by converting it, using a mathematical formula, into a scrambled version (ciphertext). Encryption is a two-way function, meaning the original plaintext password that is encrypted into ciphertext can be returned to plaintext by decrypting it. Some authentication systems still require reversible passwords. Anyone with the correct cryptographic key can take ciphertext and reverse it to reveal plaintext passwords, making them less secure. Protecting cryptographic keys is essential, since a bad actor with the key can unlock the encryption to recover passwords. A hardware security module (HSM) can perform core cryptographic operations and store keys in a way that prevents them from being extracted from the HSM.
Encryption can play an important role in password storage, and numerous cryptographic algorithms and techniques are available. For example, password managers use encryption to safeguard the confidentiality of the stored secrets. When a password is needed by a user, the password manager decrypts the ciphertext and inserts the plaintext password into the web browser form because plaintext is the only format the browser allows.
What is Hashing?
Hashing also uses an algorithm to transform a plaintext password into ciphertext that obscures the actual password. Unlike encryption, hashing is a one-way function. If you take an arbitrary plaintext password of any length, run it through a hashing algorithm, it spits out a string or hexadecimal number that is unique to the supplied plaintext. The length is dependent on the algorithm used. Hashes of passwords cannot be transformed back to the original plaintext password.
The server stores a hashed version of the password. When the user types in a plaintext password, the system calculates the hash and compares the hashes. If the hashes are equal, the server is able to confirm the password and the user is given access.
Common Hashing Algorithms
Less secure hash algorithms:
- Message-digest algorithm 5 (MD5) takes a message of any length as input and converts it to an output of a fixed 128-bit hash value length to be used for authenticating the original message.
- Secure hash algorithm (SHA) is also a cryptographic hash function. SHA-1's 160-bit values are more secure than MD5's 128-bit hash value lengths, but it also has weaknesses, which led to the SHA-2 hash code family.
More secure hash algorithms:
- SHA-2 hash code family is widely used today, with algorithms that are longer and harder to break. The names of SHA-2 algorithms are connected to length, so SHA-224 represents 224 bits in length. The same format works for SHA-256, SHA-384 and SHA-512.
What is Salting?
Just as you add salt to enhance your food, a random string of characters (salt) is added to passwords to enhance them. Each user is assigned a different salt, which is only known to the server, making them unique and more secure. The salt can be placed on either side of the password. For example, adding salt to the password "Password" could result in a salted password like "4(j3Li95Password" or "Password4(j3Li95." After the salt is added, the combination of plaintext password and salt is then hashed, making it more secure than a hashed password alone.
Combining Salting and Hashing for Security
Password hashing makes storage and management more secure, and applies to both salted and unsalted passwords. Salted passwords that are also hashed make it harder for bad actors to crack passwords at scale. Because random characters are added to passwords prior to hashing, the hacker loses the ability to quickly figure out the plaintext password. Without guessing, it's almost impossible to take the output of a hash function and reverse it to find out the original value. The unique hash created with salted passwords defends against attack vectors, including dictionary, brute force and hash table attacks.
Let's say a hacker wants to test a password. The hacker first has to steal the server file containing hashed passwords. An experienced hacker will have already taken commonly used passwords, dictionary entries and passwords found on the dark web, run them through standard hash algorithms and put the results in a table. A hash table is a pre-calculated database of hashes and a rainbow table is a pre-calculated table of reversed hashes used to decipher password hashes. The hacker searches the server file for matches in the pre-calculated hashes on their rainbow table. Because the rainbow table was created from all the possible plaintexts, they now know that user's password. The hacker will be able to access the user's account unless other security measures, like multi-factor authentication (MFA), are in place.
A hacker with pre-calculated tables based on typical passwords will be unable to easily figure out salted passwords because random extra characters have been added. The hacker will be forced to try millions of hashed password-salt combinations in order to uncover passwords. Just as a car thief will skip difficult break-ins to find an unlocked car with the keys in the ignition, the hacker will move on to less secure targets.
Recap: Encryption vs. Hashing vs. Salting
Password encryption is used when the plaintext must be recovered for any reason. Encryption is a reversible method of converting plaintext passwords to ciphertext, and you can return to the original plaintext with a decryption key. Encryption is often used for storing passwords in password managers.
Password hashing is useful on the server side when server operators don't need to know the plaintext, only that the user knows the plaintext. Hashing is a one-way process that converts a password to ciphertext using hash algorithms. A hashed password cannot be decrypted, but a hacker can try to reverse engineer it.
Password salting adds random characters before or after a password prior to hashing to obfuscate the actual password. Because of the randomness of the salt, hackers have a very difficult time figuring out actual passwords from hashed salted passwords because their pre-calculated tables of passwords won't work.
Passwords alone are not sufficient for identity and access management (IAM) and need to be reinforced with other authentication methods. To learn more about multi-factor authentication (MFA), read our white paper on the Best Practices for Securing the Modern Digital Enterprise.