Today's lesson will be on hashes, encryption, and salts. Encryption and hashes are often mixed up because most people who use these two words can't tell them apart. I'm going to teach you what they are and how they work together.
What is encryption?
Encryption is a process that turns data into an unreadable format that requires a key or password. Encryption is generally used for files, where you will need to decrypt it to use it again.
What is salt?
Salt is just an added security feature for passwords. Basically, it adds a phrase to the password. So if a user's raw original password was "pass" and the salt was "alei3hs", then the combined password would be "passalei3hs". Salts are usually randomly generated and unique to each user. Another way to add to the password is to add a global phrase, like "mysite" where everybody's added password would have "mysite" at the end of it. Phrases that are the same throughout the site are called keys.
What is a hash?
A hash is an advanced mathematical formula that converts a string into a non-reversible format. Hashes are mainly used for creating secure passwords. It is a one way street so there is no undo. It is impossible to revert back to the original raw string using just the hash.
What types of hashes are good for passwords?
The two types of hashes that most programmers use are MD5 and SHA. MD5 creates a 32 character hash and SHA creates a 40 character hash. SHA is generally considered more secure.
How do you hash a string?
// Produces "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" sha1('password'); // Produces "5f4dcc3b5aa765d61d8327deb882cf99" md5('password');
If hashes have a limited amount of characters, how does it hold an infinite possibility of strings?
They're environmental friendly so they recycle. Both MD5 and SHA only use 0-9 and a-f in their final result. Raise to the power of 32 MD5 characters for... (uhh... starts with a 3 and tells me to move 38 decimal places... I don't even know what that number is) number of possibilities and 40 SHA characters for... (forget it, I'm not even going to try to analyze this number) number of possibilities. The same hash could be reused for a different input. So "hello" could produce the same result as "goodbye".
But doesn't that mean I can guess the original input?
In short, yes. Hashes can be guessed. Kinda like how you can guess the lottery. The chance of finding a match? A billion to one.
But you claimed it was impossible to get the original input!
As stated above, hashes are reused. If I just told you the answer is 2, then it's impossible for you to go back to the original question. You can find something that matches that answer, like 1+1, 2+0, 3-1, or even 100000-99998 and they would all be correct, but you still wouldn't know which one was the original.
What is the difference between encryption and hash?
Simply put, hashing is a one way street. As stated above, once you hash a string it is impossible to get the original. Encryption is meant to be decrypted so you can use the raw data later.
If you can't reverse the hash, how can I check user's passwords?
A hash created by the same method will always produce the same result. Just hash the password before inserting it into the database. When they try to login, hash the password again using the same method before comparing it with the database.
That's enough for today folks. Just keep in mind that a hash is your last line of defense. You shouldn't even allow hackers to get the hash in the first place. Your hashing method is as much of a secret as the hash itself.