Difference between Hashing a Password and Encrypting it

Question

The current top-voted to this question states      Another one that s not so much a security issue  although it is security-related  is complete and abject failure to grok the difference between hashing a password and encrypting it  Most commonly found in code where the programmer is trying to provide unsafe  Remind me of my password  functionality    What exactly is this difference  I was always under the impression that hashing was a form of encryption  What is the unsafe functionality the poster is referring to

User · Answer

As shown in the above image  if the password is encrypted it is always a hidden secret where someone can extract the plain text password  However when password is hashed  you are relaxed as there is hardly any method of recovering the password from the hash value     Extracted from Encrypted vs Hashed Passwords - Which is better   Is encryption good   Plain text passwords can be encrypted using symmetric encryption algorithms like DES  AES or with any other algorithms and be stored inside the database  At the authentication  confirming the identity with user name and password   application will decrypt the encrypted password stored in database and compare with user provided password for equality  In this type of an password handling approach  even if someone get access to database tables the passwords will not be simply reusable  However there is a bad news in this approach as well  If somehow someone obtain the cryptographic algorithm along with the key used by your application  he she will be able to view all the user passwords stored in your database by decryption   This is the best option I got   a software developer may scream  but is there a better way   Cryptographic hash function  one-way-only   Yes there is  may be you have missed the point here  Did you notice that there is no requirement to decrypt and compare  If there is one-way-only conversion approach where the password can be converted into some converted-word  but the reverse operation  generation of password from converted-word  is impossible  Now even if someone gets access to the database  there is no way that the passwords be reproduced or extracted using the converted-words  In this approach  there will be hardly anyway that some could know your users  top secret passwords  and this will protect the users using the same password across multiple applications  What algorithms can be used for this approach

User · Answer

Here s one reason you may want to use one over the other - password retrieval    If you only store a hash of a user s password  you can t offer a  forgotten password  feature

User · Answer

As correct as the other answers may be  in the context that the quote was in  hashing is a tool that may be used in securing information  encryption is a process that takes information and makes it very difficult for unauthorized people to read use

User · Answer

I ve always thought that Encryption can be converted both ways  in a way that the end value can bring you to original value and with Hashing you ll not be able to revert from the end result to the original value

User · Answer

Hashing is a one way function  well  a mapping   It s irreversible  you apply the secure hash algorithm and you cannot get the original string back  The most you can do is to generate what s called  a collision   that is  finding a different string that provides the same hash  Cryptographically secure hash algorithms are designed to prevent the occurrence of collisions  You can attack a secure hash by the use of a rainbow table  which you can counteract by applying a salt to the hash before storing it   Encrypting is a proper  two way  function  It s reversible  you can decrypt the mangled string to get original string if you have the key   The unsafe functionality it s referring to is that if you encrypt the passwords  your application has the key stored somewhere and an attacker who gets access to your database  and or code  can get the original passwords by getting both the key and the encrypted text  whereas with a hash it s impossible   People usually say that if a cracker owns your database or your code he doesn t need a password  thus the difference is moot  This is na  ve  because you still have the duty to protect your users  passwords  mainly because most of them do use the same password over and over again  exposing them to a greater risk by leaking their passwords

User · Answer

Hashing is a one-way function  meaning that once you hash a password it is very difficult to get the original password back from the hash   Encryption is a two-way function  where it s much easier to get the original text back from the encrypted text   Plain hashing is easily defeated using a dictionary attack  where an attacker just pre-hashes every word in a dictionary  or every combination of characters up to a certain length   then uses this new dictionary to look up hashed passwords   Using a unique random salt for each hashed password stored makes it much more difficult for an attacker to use this method   They would basically need to create a new unique dictionary for every salt value that you use  slowing down their attack terribly   It s unsafe to store passwords using an encryption algorithm because if it s easier for the user or the administrator to get the original password back from the encrypted text  it s also easier for an attacker to do the same

User · Answer

Hashing is a one way function  well  a mapping   It s irreversible  you apply the secure hash algorithm and you cannot get the original string back  The most you can do is to generate what s called  a collision   that is  finding a different string that provides the same hash  Cryptographically secure hash algorithms are designed to prevent the occurrence of collisions  You can attack a secure hash by the use of a rainbow table  which you can counteract by applying a salt to the hash before storing it   Encrypting is a proper  two way  function  It s reversible  you can decrypt the mangled string to get original string if you have the key   The unsafe functionality it s referring to is that if you encrypt the passwords  your application has the key stored somewhere and an attacker who gets access to your database  and or code  can get the original passwords by getting both the key and the encrypted text  whereas with a hash it s impossible   People usually say that if a cracker owns your database or your code he doesn t need a password  thus the difference is moot  This is na  ve  because you still have the duty to protect your users  passwords  mainly because most of them do use the same password over and over again  exposing them to a greater risk by leaking their passwords

User · Answer

Hashing    It is a one-way algorithm and once hashed can not rollback and this is its sweet point against encryption    Encryption  If we perform encryption  there will a key to do this  If this key will be leaked all of your passwords could be decrypted easily    On the other hand  even if your database will be hacked or your server admin took data from DB and you used hashed passwords  the hacker will not able to break these hashed passwords  This would actually practically impossible if we use hashing with proper salt and additional security with PBKDF2   If you want to take a look at how should you write your hash functions  you can visit here   There are many algorithms to perform hashing    MD5 - Uses the Message Digest Algorithm 5  MD5  hash function  The output hash is 128 bits in length  The MD5 algorithm was designed by Ron Rivest in the early 1990s and is not a preferred option today  SHA1 - Uses Security Hash Algorithm  SHA1  hash published in 1995  The output hash is 160 bits in length  Although most widely used  this is not a preferred option today  HMACSHA256  HMACSHA384  HMACSHA512 - Use the functions SHA-256  SHA-384  and SHA-512 of the SHA-2 family  SHA-2 was published in 2001  The output hash lengths are 256  384  and 512 bits  respectively as the hash functions    names indicate

User · Answer

Hashing algorithms are usually cryptographic in nature  but the principal difference is that encryption is reversible through decryption  and hashing is not   An encryption function typically takes input and produces encrypted output that is the same  or slightly larger size   A hashing function takes input and produces a typically smaller output  typically of a fixed size as well   While it isn t possible to take a hashed result and  dehash  it to get back the original input  you can typically brute-force your way to something that produces the same hash   In other words  if a authentication scheme takes a password  hashes it  and compares it to a hashed version of the requires password  it might not be required that you actually know the original password  only its hash  and you can brute-force your way to something that will match  even if it s a different password   Hashing functions are typically created to minimize the chance of collisions and make it hard to just calculate something that will produce the same hash as something else

User · Answer

Hashing    It is a one-way algorithm and once hashed can not rollback and this is its sweet point against encryption    Encryption  If we perform encryption  there will a key to do this  If this key will be leaked all of your passwords could be decrypted easily    On the other hand  even if your database will be hacked or your server admin took data from DB and you used hashed passwords  the hacker will not able to break these hashed passwords  This would actually practically impossible if we use hashing with proper salt and additional security with PBKDF2   If you want to take a look at how should you write your hash functions  you can visit here   There are many algorithms to perform hashing    MD5 - Uses the Message Digest Algorithm 5  MD5  hash function  The output hash is 128 bits in length  The MD5 algorithm was designed by Ron Rivest in the early 1990s and is not a preferred option today  SHA1 - Uses Security Hash Algorithm  SHA1  hash published in 1995  The output hash is 160 bits in length  Although most widely used  this is not a preferred option today  HMACSHA256  HMACSHA384  HMACSHA512 - Use the functions SHA-256  SHA-384  and SHA-512 of the SHA-2 family  SHA-2 was published in 2001  The output hash lengths are 256  384  and 512 bits  respectively as the hash functions    names indicate

User · Answer

Hashing is a one-way function  meaning that once you hash a password it is very difficult to get the original password back from the hash   Encryption is a two-way function  where it s much easier to get the original text back from the encrypted text   Plain hashing is easily defeated using a dictionary attack  where an attacker just pre-hashes every word in a dictionary  or every combination of characters up to a certain length   then uses this new dictionary to look up hashed passwords   Using a unique random salt for each hashed password stored makes it much more difficult for an attacker to use this method   They would basically need to create a new unique dictionary for every salt value that you use  slowing down their attack terribly   It s unsafe to store passwords using an encryption algorithm because if it s easier for the user or the administrator to get the original password back from the encrypted text  it s also easier for an attacker to do the same

User · Answer

Hashing is a one-way function  meaning that once you hash a password it is very difficult to get the original password back from the hash   Encryption is a two-way function  where it s much easier to get the original text back from the encrypted text   Plain hashing is easily defeated using a dictionary attack  where an attacker just pre-hashes every word in a dictionary  or every combination of characters up to a certain length   then uses this new dictionary to look up hashed passwords   Using a unique random salt for each hashed password stored makes it much more difficult for an attacker to use this method   They would basically need to create a new unique dictionary for every salt value that you use  slowing down their attack terribly   It s unsafe to store passwords using an encryption algorithm because if it s easier for the user or the administrator to get the original password back from the encrypted text  it s also easier for an attacker to do the same

User · Answer

As shown in the above image  if the password is encrypted it is always a hidden secret where someone can extract the plain text password  However when password is hashed  you are relaxed as there is hardly any method of recovering the password from the hash value     Extracted from Encrypted vs Hashed Passwords - Which is better   Is encryption good   Plain text passwords can be encrypted using symmetric encryption algorithms like DES  AES or with any other algorithms and be stored inside the database  At the authentication  confirming the identity with user name and password   application will decrypt the encrypted password stored in database and compare with user provided password for equality  In this type of an password handling approach  even if someone get access to database tables the passwords will not be simply reusable  However there is a bad news in this approach as well  If somehow someone obtain the cryptographic algorithm along with the key used by your application  he she will be able to view all the user passwords stored in your database by decryption   This is the best option I got   a software developer may scream  but is there a better way   Cryptographic hash function  one-way-only   Yes there is  may be you have missed the point here  Did you notice that there is no requirement to decrypt and compare  If there is one-way-only conversion approach where the password can be converted into some converted-word  but the reverse operation  generation of password from converted-word  is impossible  Now even if someone gets access to the database  there is no way that the passwords be reproduced or extracted using the converted-words  In this approach  there will be hardly anyway that some could know your users  top secret passwords  and this will protect the users using the same password across multiple applications  What algorithms can be used for this approach

User · Answer

I ve always thought that Encryption can be converted both ways  in a way that the end value can bring you to original value and with Hashing you ll not be able to revert from the end result to the original value

User · Answer

As correct as the other answers may be  in the context that the quote was in  hashing is a tool that may be used in securing information  encryption is a process that takes information and makes it very difficult for unauthorized people to read use

User · Answer

As correct as the other answers may be  in the context that the quote was in  hashing is a tool that may be used in securing information  encryption is a process that takes information and makes it very difficult for unauthorized people to read use

User · Answer

Ideally you should do both   First Hash the pass password for the one way security   Use a salt for extra security   Then encrypt the hash to defend against dictionary attacks if your database of password hashes is compromised

User · Answer

I ve always thought that Encryption can be converted both ways  in a way that the end value can bring you to original value and with Hashing you ll not be able to revert from the end result to the original value

User · Answer

Hashing algorithms are usually cryptographic in nature  but the principal difference is that encryption is reversible through decryption  and hashing is not   An encryption function typically takes input and produces encrypted output that is the same  or slightly larger size   A hashing function takes input and produces a typically smaller output  typically of a fixed size as well   While it isn t possible to take a hashed result and  dehash  it to get back the original input  you can typically brute-force your way to something that produces the same hash   In other words  if a authentication scheme takes a password  hashes it  and compares it to a hashed version of the requires password  it might not be required that you actually know the original password  only its hash  and you can brute-force your way to something that will match  even if it s a different password   Hashing functions are typically created to minimize the chance of collisions and make it hard to just calculate something that will produce the same hash as something else

User · Answer

I ve always thought that Encryption can be converted both ways  in a way that the end value can bring you to original value and with Hashing you ll not be able to revert from the end result to the original value

User · Answer

Hashing is a one way function  well  a mapping   It s irreversible  you apply the secure hash algorithm and you cannot get the original string back  The most you can do is to generate what s called  a collision   that is  finding a different string that provides the same hash  Cryptographically secure hash algorithms are designed to prevent the occurrence of collisions  You can attack a secure hash by the use of a rainbow table  which you can counteract by applying a salt to the hash before storing it   Encrypting is a proper  two way  function  It s reversible  you can decrypt the mangled string to get original string if you have the key   The unsafe functionality it s referring to is that if you encrypt the passwords  your application has the key stored somewhere and an attacker who gets access to your database  and or code  can get the original passwords by getting both the key and the encrypted text  whereas with a hash it s impossible   People usually say that if a cracker owns your database or your code he doesn t need a password  thus the difference is moot  This is na  ve  because you still have the duty to protect your users  passwords  mainly because most of them do use the same password over and over again  exposing them to a greater risk by leaking their passwords

User · Answer

Hashing is a one way function  well  a mapping   It s irreversible  you apply the secure hash algorithm and you cannot get the original string back  The most you can do is to generate what s called  a collision   that is  finding a different string that provides the same hash  Cryptographically secure hash algorithms are designed to prevent the occurrence of collisions  You can attack a secure hash by the use of a rainbow table  which you can counteract by applying a salt to the hash before storing it   Encrypting is a proper  two way  function  It s reversible  you can decrypt the mangled string to get original string if you have the key   The unsafe functionality it s referring to is that if you encrypt the passwords  your application has the key stored somewhere and an attacker who gets access to your database  and or code  can get the original passwords by getting both the key and the encrypted text  whereas with a hash it s impossible   People usually say that if a cracker owns your database or your code he doesn t need a password  thus the difference is moot  This is na  ve  because you still have the duty to protect your users  passwords  mainly because most of them do use the same password over and over again  exposing them to a greater risk by leaking their passwords

User · Answer

Hashing algorithms are usually cryptographic in nature  but the principal difference is that encryption is reversible through decryption  and hashing is not   An encryption function typically takes input and produces encrypted output that is the same  or slightly larger size   A hashing function takes input and produces a typically smaller output  typically of a fixed size as well   While it isn t possible to take a hashed result and  dehash  it to get back the original input  you can typically brute-force your way to something that produces the same hash   In other words  if a authentication scheme takes a password  hashes it  and compares it to a hashed version of the requires password  it might not be required that you actually know the original password  only its hash  and you can brute-force your way to something that will match  even if it s a different password   Hashing functions are typically created to minimize the chance of collisions and make it hard to just calculate something that will produce the same hash as something else

User · Answer

Here s one reason you may want to use one over the other - password retrieval    If you only store a hash of a user s password  you can t offer a  forgotten password  feature

User · Answer

Hashing is a one-way function  meaning that once you hash a password it is very difficult to get the original password back from the hash   Encryption is a two-way function  where it s much easier to get the original text back from the encrypted text   Plain hashing is easily defeated using a dictionary attack  where an attacker just pre-hashes every word in a dictionary  or every combination of characters up to a certain length   then uses this new dictionary to look up hashed passwords   Using a unique random salt for each hashed password stored makes it much more difficult for an attacker to use this method   They would basically need to create a new unique dictionary for every salt value that you use  slowing down their attack terribly   It s unsafe to store passwords using an encryption algorithm because if it s easier for the user or the administrator to get the original password back from the encrypted text  it s also easier for an attacker to do the same

User · Answer

Ideally you should do both   First Hash the pass password for the one way security   Use a salt for extra security   Then encrypt the hash to defend against dictionary attacks if your database of password hashes is compromised

User · Answer

As correct as the other answers may be  in the context that the quote was in  hashing is a tool that may be used in securing information  encryption is a process that takes information and makes it very difficult for unauthorized people to read use

User · Answer

Hashing algorithms are usually cryptographic in nature  but the principal difference is that encryption is reversible through decryption  and hashing is not   An encryption function typically takes input and produces encrypted output that is the same  or slightly larger size   A hashing function takes input and produces a typically smaller output  typically of a fixed size as well   While it isn t possible to take a hashed result and  dehash  it to get back the original input  you can typically brute-force your way to something that produces the same hash   In other words  if a authentication scheme takes a password  hashes it  and compares it to a hashed version of the requires password  it might not be required that you actually know the original password  only its hash  and you can brute-force your way to something that will match  even if it s a different password   Hashing functions are typically created to minimize the chance of collisions and make it hard to just calculate something that will produce the same hash as something else

[security] Difference between Hashing a Password and Encrypting it

Is encryption good?

Cryptographic hash function (one-way-only)

Examples related to security

Examples related to language-agnostic

Examples related to encryption

Examples related to hash

Examples related to passwords