You might have heard about a data breach where password files were stolen, or wondered how your information is kept secure online. One of the best ways companies can secure online information is by hashing login information. What is hashing, and why is it important?
A hash is a cryptographic function that takes data and converts it into a hash of a standard size. For instance, passwords of any length that are converted by a hash algorithm will result in hashes that are the same length, but each hash result will be unique. This is a way to secure password data, and allow it to be used by a computer system to verify that login information is authentic, so for example, a person can log in to a website. Another use of hashes is to verify that data has not been modified, through the use of a checksum. In this process, a hash can be produced for some data, like a document or file, and the person on the receiving end of the data can look at the checksum of the data received, compare it to the original checksum, and verify that the file has not been changed.
If the hash file is stolen, depending on the hash algorithm used, the data might not be accessible by the thieves. But as computers have increased capacity and speed over the years, some hashing algorithms can be easily defeated and are no longer secure. One notable example of this is the SHA-1 algorithm, which had been considered theoretically insecure for over a decade, and which Google recently demonstrated its insecurity this year by producing a collision, or the use of two different data sets that output to the same hash value.
Another widely used hashing function is called MD5, which, despite its popularity, is no longer a secure hashing function. MD5 was listed in the OWASP top-ten insecure cryptographic storage list as early as 2007. Researchers have continued to produce examples of how and why MD5 and SHA-1 should no longer be supported by software companies, but for the time being, with MD5 at least, it seems that it will continue to be supported.
While there is no easy way for customers to determine how their information is stored by companies, they can try to find out if the company uses hashing best practices. Some of these include salting passwords before they are hashed (which means adding random numbers at the beginning and end to further obfuscate the real data), and using a secure hashing algorithm such as SHA-256.