Skip to main content
Cryptography Basics
CHAPTER 07

Password Security and Hashing

Updated: May 15, 2026
25 min read

# CHAPTER 7

Password Security and Hashing

1. Introduction

The most catastrophic security breaches in history—from Yahoo to LinkedIn—often stem from a single, horrific database flaw: storing user passwords in plaintext. If a hacker steals a plaintext database, the game is over. To protect user credentials, software engineers rely on a highly specialized application of cryptography: Password Hashing. In this chapter, we will explore why standard hashes fail against modern password cracking, and how "Salting" and specialized hashing algorithms (Bcrypt/Argon2) defend against billion-dollar data breaches.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Understand why storing passwords in plaintext or using two-way encryption is a severe security failure.
  • Explain the password hashing authentication workflow.
  • Define a "Rainbow Table" attack.
  • Understand the critical role of Cryptographic Salting.
  • Identify secure password hashing algorithms (Bcrypt, Argon2) vs. fast hashing algorithms (SHA-256).

3. Beginner-Friendly Explanation

Imagine a nightclub bouncer who is terrible at keeping secrets.
  • Plaintext (Bad): You tell the bouncer your secret password ("Apple"). He writes "Apple" in a notebook. A thief steals the notebook and knows everyone's password.
  • Hashing (Better): You say "Apple." The bouncer puts "Apple" through a math formula, turning it into #8xZ. He writes #8xZ in the notebook. When you come back, you say "Apple", he does the math again, gets #8xZ, checks the notebook, and lets you in. If the thief steals the notebook, they only see #8xZ, which they can't reverse.
  • Salting (Best): Two people both choose the password "Apple". To prevent them from having the exact same #8xZ in the notebook, the bouncer adds a random word (a Salt) to the end before doing the math. Person A becomes "Apple+Dog". Person B becomes "Apple+Cat". They now have completely different entries in the notebook, confusing the thief.

4. Why Not Encryption?

Why don't we use AES-256 to encrypt passwords in a database? Because encryption is *two-way*. If you encrypt the passwords, you must store the decryption key on the server. If a hacker compromises the server, they steal the database *and* the key, allowing them to decrypt every password instantly. Passwords should be Hashed (one-way). The server should *never* know what your actual password is.

5. Rainbow Tables and Brute Force

If a hacker steals a database of SHA-256 hashes, they cannot reverse them. Instead, they use a Dictionary Attack. They take a list of 10 million common passwords (like password123), hash them all, and compare the outputs to the stolen database. To speed this up, hackers use Rainbow Tables—massive pre-calculated databases containing billions of passwords and their corresponding hashes. A rainbow table can crack thousands of hashes in seconds.

6. The Defense: Salting

To defeat Rainbow Tables, we use Salting. A Salt is a randomly generated string of characters added to a password *before* it is hashed. Hash(Password + Salt) Because the Salt is unique for every single user, the hacker's pre-computed Rainbow Table is completely useless. The hacker is forced to calculate the hash from scratch for every individual user, slowing the attack to a crawl.

7. Mini Project: Build a Secure Password Hash (PHP Concept)

Let's look at how modern web applications handle this securely using PHP's built-in cryptographic functions.

The Right Way (Bcrypt):

php
12345678910111213141516 
// 1. User registers with a password
$password = 'MySecretPassword123!';

// 2. The server automatically generates a Salt and hashes it using Bcrypt
$passwordHash = password_hash($password, PASSWORD_BCRYPT);
// The resulting $passwordHash looks like: $2y$10$w... (It includes the algorithm, cost factor, and salt!)

// 3. User tries to log in later
$loginAttempt = 'MySecretPassword123!';

// 4. The server verifies the attempt against the stored hash
if (password_verify($loginAttempt, $passwordHash)) {
    echo "Login successful!";
} else {
    echo "Invalid password.";
}

8. Real-World Scenarios

In 2012, LinkedIn suffered a breach exposing 6.5 million user passwords. The passwords were hashed using SHA-1, but crucially, they were unsalted. Hackers easily dumped the hashes into automated cracking rigs and quickly matched them against Rainbow Tables, recovering the plaintext passwords of millions of users in days. LinkedIn learned a very hard, very public lesson about cryptographic salting.

9. Best Practices

  • Use Slow Algorithms (Key Stretching): SHA-256 is designed to be incredibly fast. A modern GPU can calculate 50 billion SHA-256 hashes per second. This is *terrible* for password security. You want a slow algorithm. Algorithms like Bcrypt or Argon2 have a "Cost Factor" that intentionally forces the computer to spend a quarter of a second calculating the hash. For a normal user logging in, a quarter-second delay is unnoticeable. For a hacker trying to guess 1 billion passwords, that delay makes the attack mathematically impossible.

10. Legal and Ethical Notes

If a company suffers a data breach and an investigation reveals they stored user passwords in plaintext or used a deprecated algorithm like MD5 without salting, they will face catastrophic fines under regulations like GDPR for gross negligence in protecting consumer data.

11. Exercises

  1. 1. Explain why a Rainbow Table is highly effective against unsalted hashes, but completely useless against salted hashes.
  1. 2. Why is an algorithm like SHA-256 considered excellent for verifying file integrity, but a poor choice for hashing user passwords?

12. FAQs

Q: Do I need to keep the Salt a secret? A: Surprisingly, no. The Salt is stored in plaintext right next to the hash in the database. The security of the Salt does not rely on secrecy; it relies entirely on its *uniqueness*. By making the hash unique, it defeats pre-computed tables.

13. Interview Questions

  • Q: Detail the cryptographic workflow of authenticating a user via a salted hash. Why is it architecturally safer than storing an AES-encrypted password?
  • Q: Compare and contrast the use cases for SHA-256 versus Argon2. In a modern web application, where would you deploy each algorithm?

14. Summary

In Chapter 7, we tackled the most prevalent vulnerability in software architecture: credential storage. We established that passwords must never be stored in plaintext or encrypted (two-way). We adopted one-way Hashing as the standard, but recognized that speed is the enemy of password security. By implementing Cryptographic Salting to defeat Rainbow Tables, and utilizing intentionally slow algorithms like Bcrypt or Argon2 (Key Stretching), we can architect databases that remain secure even if they fall into the hands of an attacker.

15. Next Chapter Recommendation

We know how to keep a message secret (Encryption), and how to prove it hasn't been altered (Hashing). How do we prove who actually sent it? Proceed to Chapter 8: Digital Signatures and Authentication.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Hashing and Data Integrity
Next Chapter Digital Signatures and Authentication

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5