5 Replies - 767 Views - Last Post: 25 February 2013 - 12:08 AM Rate Topic: -----

#1 byrandomby1  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 124
  • Joined: 08-March 11

Why should passwords be hashed (in database)

Posted 23 February 2013 - 03:30 AM

Why should account passwords be hashed (in database)?

Reasons I can think of:
Database admins (or hackers) won't know the passwords

Is there any other reason?
Is This A Good Question/Topic? 0
  • +

Replies To: Why should passwords be hashed (in database)

#2 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3541
  • View blog
  • Posts: 10,239
  • Joined: 08-June 10

Re: Why should passwords be hashed (in database)

Posted 23 February 2013 - 03:30 AM

ainít that enough for a reason?
Was This Post Helpful? 0
  • +
  • -

#3 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6064
  • View blog
  • Posts: 23,520
  • Joined: 23-August 08

Re: Why should passwords be hashed (in database)

Posted 23 February 2013 - 11:14 AM

They should not only be hashed, but salted and hashed.
Was This Post Helpful? 1
  • +
  • -

#4 macosxnerd101  Icon User is online

  • Self-Trained Economist
  • member icon




Reputation: 10576
  • View blog
  • Posts: 39,152
  • Joined: 27-December 08

Re: Why should passwords be hashed (in database)

Posted 23 February 2013 - 11:45 AM

A hash, unlike encryption, isn't reversible. So even if someone sees the hash, they cannot reverse engineer the password. Think of a hash like a math function, so hash(password). If someone intercepts the hash and tries to login with it, the hash will be rehashed. So hash(hash(password)) != hash(password).
Was This Post Helpful? 1
  • +
  • -

#5 sharmani909  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 1
  • Joined: 24-February 13

Re: Why should passwords be hashed (in database)

Posted 24 February 2013 - 10:28 PM

A first thing to note is that there are many people who talk about encrypted passwords but really mean hashed passwords. An encrypted password is like anything else which has been encrypted: it has been rendered unreadable through a process which used an extra piece of secret data (the key) and which can be reversed with knowledge of the same key (or of a distinct, mathematically related key, in the case of asymmetric encryption). For password hashing, on the other hand, there is no key. The hashing process is like a meat grinder: there is no key, everybody can operate it, but there is no way to get your cow back in full moo-ing state. Whereas encryption would be akin to locking the cow in a stable. Cryptographic hash functions are functions which anybody can compute, efficiently, over arbitrary inputs. They are deterministic (same input yields same output, for everybody).

In shorter words: if MD5 or SHA-1 is involved, this is password hashing, not password encryption. Let’s use the correct term.

Once hashed, the password is still quite useful, because even though the hashing process is not reversible, the output still contains the “essence” of the hashed password and two distinct passwords will yield, with very high probability (i.e. always, in practice), two distinct hashed values (that’s because we are talking about cryptographic hash function, not the other kind). And the hash function is deterministic, so you can always rehash a putative password and see if the result is equal to a given hash value. Thus, a hashed password is sufficient to verify whether a given password is correct or not.

This still does not tell us why we would hash a password, only that hashing a password does not forfeit the intended usage of authenticating users.

This post has been edited by Dormilich: 24 February 2013 - 11:22 PM
Reason for edit:: Removed spam links

Was This Post Helpful? 0
  • +
  • -

#6 no2pencil  Icon User is online

  • Admiral Fancy Pants
  • member icon

Reputation: 5327
  • View blog
  • Posts: 27,246
  • Joined: 10-May 07

Re: Why should passwords be hashed (in database)

Posted 25 February 2013 - 12:08 AM

View Postsharmani909, on 25 February 2013 - 12:28 AM, said:

A first thing to note is that there are many people who talk about encrypted passwords but really mean hashed passwords.

To be fair, the op never used the word 'encrypted'. The encrypted vs hashed discussion isn't really valid here, imo.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1