Hashing vs Salting: How do these functions work?

Quick Hits

• Hashing takes plaintext data elements and converts them into consistent ciphertext outputs used for data verification.
• Salting adds random characters to data, like passwords, to thwart hackers who look for consistent words and phrases in sensitive data in order to decode it.

Are you intrigued about how large companies, like Facebook and Google, keep passwords for billions of users safe from hackers? Is there a super-secret vault filled will all 2.9 billion Facebook passwords? What happens to the 1.5 billion Gmail account users if a hacker stumbles upon the list of Gmail passwords? 

Thankfully, password storage doesn’t work like that. In fact, for many companies, there are no passwords stored in any of their internal systems. Instead, these companies use hashing and salting methods to utilize customer passwords without storing them at all. 

What are Hash Functions? 

Hash functions are a one-way calculation used to verify data. No matter the size of the input, a hash function will give an output of the exact same length every time. Additionally, hashing is a persistent calculation, which means the same input will always result in the same output. If even a single character of the input is changed, the hash output is completely changed.

Hash functions are one-way functions, unlike encryption which is a two-way function. Encrypted data is made to be encrypted and then decrypted. Hash functions have no need to be reverted into their original form, which makes it nearly impossible for them to be unscrambled. 

Having a consistent irreversible output may seem like a niche function, but it can be incredibly useful. Let’s look at a few examples of how hash functions are utilized. 

Hash Function Example 

Hash functions can take plaintext passwords and transform them into a ciphertext that erases all traces of the original plaintext. 

When a user first creates a password, a hash is algorithmically created and stored within the system. This exact hash output, whether it’s a string of numbers or characters, will be created whenever the password is correctly entered. Whenever a hash is created that matches the stored hash, the password’s authenticity is verified. 

This allows systems to verify passwords, without saving the password plaintext within their system. Hashes are safe to store as they cannot be reverse-engineered to gain the original password.  

Hash functions are most often used for these kinds of verification purposes. They’re a more secure version of encryption, perfect for any scenario where you don’t need the data reverted into its original form. If all that’s needed from a piece of data is identification or verification of data integrity, hashes are the perfect tool for the job. 

What is Salting? 

While reversing hashes is not impossible, just incredibly difficult, many systems want to take password security a step further.  

Salting a piece of data is done by adding additional random characters to the text in order to strengthen it. This is most often done with passwords: adding random characters to the beginning or end of a password to prevent it from being easily guessed by a hacker.  

Salting Passwords Example 

Salting is particularly important for dictionary attacks, attacks where hackers brute force password attempts by cycling through common words used in passwords. A lot of us like to use words instead of random characters because they’re easier for us to remember. Unfortunately, that also makes them easier to guess. 

Salting an easily guessed password adds to its security. Let’s take one of the top 20 most common passwords in 2022 ‘Iloveyou.’ All of these are common words, in an incredibly common formation, which would make this password ridiculously easy for a hacker to guess. However, with the addition of a few random characters to the beginning “3dQkrIloveyou” or the end “Iloveyou08m4” the salted password cannot be solved with a dictionary attack alone.

Hashing and Salting 

Hash salting is a mixture of hashing and salting used to even further secure sensitive data, like passwords. By first adding salt to a password that is going to be hashed, all of the hashes are less sensitive to being reverse-engineered. Because adding the salt creates a completely different hash than would otherwise be created, the real hash value of the password is hidden. This real hash value is easier to reverse, especially if a hacker got their hands on a large number of hashes.  

Hashing salting is essentially an additional step to keep passwords out of the hands of malicious hackers. 

It works rather simply, when a password is collected, salt is added to the password. This password is then hashed. Any hacker trying to decode salted passwords at scale is now at a disadvantage, he will not be able to identify even common passwords because they’ve been salted. A simple addition of salt on the front end of the process increases the security of the hashes without adding too much friction to the overall process.  

Simple tools, like hashing and salting, may not seem revolutionary. Yet they protect sensitive data without adding much additional challenge to the existing system. You’d be surprised how many systems hold data they don’t need when simple tools keep their functionality and remove their security risk.  

If you’re interested in an even more flexible data security tool that removes sensitive data from internal systems, be sure to read about tokenization. Using similar principles to hashing, tokenization has found a way to maintain data utility while removing the original data from internal systems.