What happens when you sign up for a website ? Where does your password go ? And more importantly can someone see it ?
Turns out, if a website is poorly designed, the answer is yes. And that’s a huge problem.
That’s where
hashing comes in.
I. what ?
Hashing is a process that takes your password and transforms it into a fixed-length string of characters, using a mathematical function. Unlike encryption, which can be reversed with a key, hashing is a one-way process, your original password is gone forever.
For example if you hash the password “password123” with SHA-256, you get :
ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f No matter how many times you hash “password123”, you’ll always get the same result. But even the slightest change (like “Password123”) creates a completely different hash.
II. why ?
Storing passwords as plain text is a terrible idea. If a database gets hacked, every single user’s password is exposed.
Imagine if Facebook, Google, or your bank stored passwords like this:
| Username | Password |
|---|---|
| Alice | mypassword123 |
| Bob | 123456 |
| Charlie | qwerty |
That means if hackers steal this database, they get instant access to millions of accounts.
Instead, websites should store hashed passwords:
| Username | Password |
|---|---|
| Alice | e99a18c428cb38d5f260853678922e03 |
| Bob | d41d8cd98f00b204e9800998ecf8427e |
| Charlie | 098f6bcd4621d373cade4e832627b4f6 |
III. how ?
We’ll take
SHA-256 as an example.
At its core, SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic function that transforms any input into a 256-bit fixed-length output using a series of mathematical operations.
Here’s a quick
breakdown of how it works:
-
Bit Operations & Padding : Your password is converted into binary, and padding is added to fit the block size of 512 bits.
-
Message Compression : The data is broken into 64 smaller chunks (words) and processed through a series of logical and bitwise operations (XOR, AND, OR, etc.).
-
Hash Computation : The data is mixed through 64 rounds of transformations using modular arithmetic and logical bit shifts. (refer to Merkle–Damgård construction)
-
Final Hash Output : After all transformations, we get a 64-character hexadecimal string (which represents 256 bits).
To see how hashing works, enter a password below. We’ll hash it right here in your browser using
SHA-256.
No data is sent to a server. Everything happens locally.
SHA-256 Hash : ...
IV. conclusion.
Hashing is one of the simplest but most effective ways to secure passwords.
If you’re building a website, never store passwords as plain text.