What's the difference between a hashed and an encrypted password?

Encryption vs. Hashing

Nobody really "encrypts" a password, although you could... but you'd be encrypting it with another password, and you would need that password to decrypt the first password. When it comes to passwords, we normally hash them.

  • Hashing is simply one-way. You cannot get the string back, you can only check to see if a string validates against a hash. If your string validates against the hash, this does not guarantee that it's the same "password," but you can log in with it because you've found a collision. The "message"/password is usually limited to a small number of characters, relatively speaking.

  • Encrypting is two-way. For example, you have an algorithm, a key, and a message. Using the key, you can unlock the message. Usually, the message could be of arbitrary size.

Makeshift Flowchart Examples

I made a couple flowcharts that are overly simplified. Hope it helps.

hashing

See the above? It doesn't make any sense that you would get the "message" back. Why? You're already entering the password, which is the "message" itself.

Now look at this:

encryption

With encryption, you're getting the decrypted message back if the decryption key is correct. You use the key to unlock the encrypted contents.

With hashing, you already have the "message" if it validates, or a collision. What you enter is the message.


A hash is an irreversible process: one function, 'hash' which cannot be "reversed". Once you have a hash, you can only guess the original password via a brute force attack, which involves hashing a variety of possible passwords until you end up with the same hash value, which indicates that the password you guessed is the same as the original.

Encryption is a reversible process: two functions, 'encryption' <-> 'decryption'; that which is encrypted can be decrypted if you have the key; decryption recovers the original password without guessing.

The security of a hashed password depends largely on the amount of computation required to perform the hash function. The more computation required, the longer it takes; since a brute force attack must repeat that computation for thousands or millions of possible passwords, the longer each individual hash computation takes the less practical the attack becomes.

The security of an encrypted password depends on the soundness of the algorithm and the secret of the key.

The benefit of hashing is that no key is required, which improves the overall security of the system - one less secret piece to be kept out of the hands of the attacker.

Tags:

Encryption

Hash

Recent Posts