Hashing vs. Encryption: What is the difference?
How does a website or an app know that you're entering the correct password? Well, it's easy to assume that the system looks at what you've written and then compares it to what it has on file. More or less this is indeed how modern online authentication works. There is one additional step, though, and, as is often the case, it can make the difference between staying secure and being exposed.
Websites we sign up for are tasked with doing everything they can to keep the bad guys out of our accounts. And as we all know, the only way the bad guys can get in is through our passwords. Passwords need to be stored somehow which could be a problem because if they're left in plain form and the hackers get to them, some copy-pasting will be all that's needed to compromise quite a few accounts. You are faced with a pretty much identical problem if you're diligent enough to know that you can't remember all the unique passwords you need to use and you've decided to store them digitally. You can never know when a piece of malware is going to steal all-my-passwords.xlsx.
Cryptography comes to the rescue
Encryption and hashing are both cryptographic processes. They transform "mysecretpassword" (a terrible password to use, by the way) into an ineligible string of characters which is stored in a database. The next time you sign in, "mysecretpassword" goes through the same process, and the resulting string is compared to what's in the database. The crucial bit is, if the hackers somehow obtain the stored string and they paste it in the Password field, it won't work.
What, then, is the difference between hashing and encrypting passwords?
It's simple: with hashing, you have no way of reverting the hash value (the string that you get after hashing) back to plain text, whereas, with encryption, you have a key that can reverse the process. Let's delve into a few details.
Hashing: the solution for the World Wide Web
Here's something you should probably bear in mind. The online service providers you use and their employees shouldn't be able to see your password. If they send it to you via email or if they request it over the phone or live chat, this means that your password isn't hashed and therefore isn't stored securely.
Hashing truly is the only way to go if you're building an online service. As we mentioned already, it's a one-way process meaning that if it's implemented correctly, the hackers have absolutely no way of getting users' plaintext passwords even if they do obtain the database.
Different people create different passwords. Many use simple, easy-to-guess keyboard patterns and words while others rely on long, seemingly random passphrases. One of the brilliant features of hashing is that after they're hashed, the hash values of "abc123" and "correcthorsebatterystaple" will be exactly the same length which means that the hackers have absolutely no way of knowing what they're up against. There are pitfalls, though.
The world is evolving and things that worked a few years ago don't anymore. In much the same way, hashing algorithms that were once considered safe have long been condemned to the "bad idea" category. There is no conclusive answer to the question of which algorithm you should use, but most experts agree that bcrypt and scrypt are the ones you should go for. Even the strongest hashing algorithms might not be enough to protect users.
The hackers have developed a variation of a brute-force attack which uses what's known as a rainbow table. Rainbow tables are often preferred to traditional brute-force attempts because although a typical table weighs in at several dozen gigabytes, it tries precomputed hashes rather than plaintext passwords which makes the cracking process much quicker.
Another problem with relying only on hashing is the fact that many of them use identical passwords. Identical passwords under identical hashing algorithms produce identical hash values.
To defeat rainbow table attacks and go around users' less-than-ideal password creating habits, cryptographers use salting. Salting means adding a unique string of characters to the password before you hash it. As a result, the system will never store two identical hash values for two identical passwords, and because the hackers can't just guess what the salt will be, they can't use rainbow tables to recover common passwords in plain text.
Of course, salts won't help if they're not reasonably long and, crucially, unique. Stopping the crooks from getting their hands on them is also very important. All in all, storing other people's passwords is not an easy task. But what about storing your own login data?
Encryption: the way to keep your personal details safe
Obviously, safeguarding other people's data is a huge responsibility, but this doesn't mean that you should neglect your own login credentials. As you probably know by now, your passwords must be long, complex, and crucially, unique. Remembering so many passwords is simply not possible which means that you must think of a storage solution.
Pasting them in a text file is not a good idea, but neither is hashing them. You need a two-way process that keeps them obfuscated for most of the time while letting you access them when the need presents itself. This is where encryption comes in.
If you put a hash value next to an encrypted version of a password, you might be confused as to which is which. They both look like random characters bundled together, and they both bear no resemblance to the actual password. The difference lies in how the password was turned into the random-looking string. This difference also allows the encrypted data to be reverted back to its original format.
Encryption uses a key to scramble information, and, as we all know, keys both lock and unlock things. With hashing, there is no key, and therefore, no way of getting back the original password.
Once again, if encryption is to be secure, it needs to be done properly. Choosing the right algorithm is critical, and so is making sure that the key that decrypts the data is properly secured.
When you have a server that needs to hold the login data of thousands upon thousands of users while making sure that everything runs smoothly, this is not easy to achieve. That's why, security experts say that online service provider should stick to hashing. Luckily, if your personal data is involved, you have the tools that can help you securely encrypt your password.
Cyclonis Password Manager, for example, uses AES-256 to scramble your usernames, passwords, and the rest of your personal information. Using a master password of your choice, it creates an encryption key which is never transmitted to our servers.
In addition to encrypting your sensitive data, Cyclonis Password Manager comes with a number of features that can make your life a lot more convenient. The Cyclonis Password Manager Wallet, for example, lets you save a lot more than your login data. Payment details, profile information, and Private Notes can all be organized in your vault, and thanks to the browser extension, all this will be within arm's reach whenever you need it.
Click here to learn more about Cyclonis Password Manager.