What does hashing mean?

07 August 2018

Hashing is basically a form of encryption used to keep data safe.

Typically used to protect user passwords, a hashing algorithm turns pieces of data into a random alphanumeric value. So if a hacker manages to access data, such as a password cache, they just find random-looking strings of characters.

Hashing differs from typical encryption, as it cannot be reversed with a key. Hashed data is not designed to be decrypted – a password entered by a user is passed through the hashing algorithm and the result is compared against the hashed password stored on the database. This means organisations can avoid storing passwords on their systems, and just focus on storing the encrypted data.

Hackers deliberately target passwords alongside personal data, like contact details, which they then sell on the dark net or use to access accounts.

In June, German sportswear company Adidas warned that hackers may have accessed usernames and encrypted passwords belonging to millions of customers using its US website. A 2017 report estimates that some 3 billion user credentials and passwords were stolen in 2016 alone, a figure that could reach 300 billion passwords by 2020.

Subscribe to our  Latest Cyber Decoder newsletter

Why does it matter?

Hashing is a fairly basic cyber security measure for protecting user passwords and can significantly mitigate the impact of a data breach. Without it, stolen passwords could be used immediately by hackers and cyber criminals.

However, depending on the type of hashing used to scramble passwords, it can make a big difference. Hashed data can be deciphered by a brute force attack, where a computer systematically generates possible combinations until the encrypted data is cracked. Hackers also produce tables of hashed data in advance to compare against stolen encrypted data.

Hashing is easy to perform, but is deliberately difficult to reverse. Done well, hashed passwords become unfeasible to decipher, but some algorithms produce hashed passwords that can be more easily cracked by decrypting techniques. For example, some hashing algorithms are designed to be very fast and efficient, but can be compromised quickly by ‘brute force’, while algorithms that typically require more computational expense are more secure.

Hashing is also made more effective when users choose strong passwords. Hackers may reveal an encrypted password by comparing it to a list of commonly used (but hashed) passwords. Longer more complex passwords also take longer to crack using brute force.

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on cyber@jltgroup.com.