4 ways to encrypt or password-protect a PDF for free without Acrobat
How-To - 3 min read
Eva Simpson
Jul 26, 2022
Elisa Armstrong
·
Jan 31, 2022
·
5 min read
Jump to section
To be effective, cybersecurity must be easy to understand and follow. But hashing has always raised a ton of questions. Is it a type of encryption? What algorithms are safe to use? And why do we have to salt it? Today, we’re going to dive into the world of hashing vs encryption and explain everything you need to know.
Encryption is the process of securing data. Regardless of the algorithms used, you use a key to convert a plaintext message into a cipher text. When needed, the action can be performed in reverse, i.e., you can convert the cipher text back into the original plaintext message. If you want to know more about encryption, check out the most common types of encryption.
Another very important part of encryption — specifically, public-key encryption — is that the parties sharing the encrypted data can be authenticated. Lastly, encrypting the same file multiple times may give you a different output, which is not the case when you hash something.
Hashing is a cryptography process that, just like encryption, scrambles up data. But hash algorithms digest the original data into a fixed-length hash, or a hash value. Regardless of the size of the original message, the same hashing algorithm will output the same number of characters. In other words, whether you’re hashing a password or a set of Encyclopedia Britannica, hashing could turn both into a 20-character hash.
A good hashing algorithm must have certain qualities, like:
Also, a good practice is to couple hashes with salt. Salting is a process of adding randomized characters to the original password. Salt is added to your password before a hash is derived. Salting makes your password, or rather its hash, unique and thus much harder to crack.
One of the key features of a hashing algorithm is its uniqueness. You don’t want two files to have the same hash because it defeats the purpose of the entire process.
While we will cover hashing uses in more depth later, in short, it’s mainly used to confirm the authenticity of passwords without revealing the passwords themselves.
Let’s say your password “un!cornsf0rever” has been hashed to a value of “qwe123.” If someone can create a password that is also hashed to a value of “qwe123,” they can get into your account. Remember, apps and services don’t actually use passwords – they only compare hashes.
Unfortunately, hashing collisions can happen by chance or can be created deliberately. To avoid this problem, different hashing collision resolutions like open and closed hashing or double hashing can be performed.
By now, there shouldn’t be much confusion left when it comes to hashed vs encrypted data. But, just in case, let’s bring it all together before we move on to hashing algorithms.
Hashing is commonly used for protecting passwords. If you had to store users’ data, you would generate password hashes and store those in a database instead of the real passwords. During authentication, the user's password hash is compared to the hash in the database. If they match, the user gets access to their account.
We’ve just talked about using hashing for passwords. But since it’s not a flawless process (more on that later), maybe we should scratch hashing entirely and use encryption? We know that strong encryption can keep data safe for hundreds of years. However, while hashing does not offer superior data security, it’s important in a variety of other ways.
These are just a few applications of hashing algorithms. Now, let’s take a look at the algorithms themselves.
Hashing algorithms define the rules for how the hash is created. If the algorithm is unsafe, hackers could reverse engineer it to reveal the original message. Here are some of today’s best-known hashing algorithms.
By far, MD5 is one of the most used hashing algorithms in the world. But there’s a caveat — MD5 is broken. It has been broken for a long time. Most notably, MD5 is prone to hash collisions, a malicious or accidental way to create two documents with the same hash.
Secure Hash Algorithm, or SHA, took the baton from MD5 to become the most popular hashing algorithm worldwide. Developed by the NSA, the algorithm is now in its third iteration, SHA-2. Unlike its previous versions, SHA-0 and SHA-1, which worked similarly to MD5, SHA-2 is much more fit to handle the cybersecurity of the modern day because of its six possible variations: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.
There’s already a SHA-3 algorithm ready to take over when called upon. It’s faster and was designed to withstand the attacks that SHA-2 could be vulnerable to.
Argon2 is a key derivation function highly recommended for passwords. It has three versions: Argon2d, Argon2i, and Argon2id. This is what we use at NordLocker. If you already have an account, you’ll have a master password. We use Argon2id to generate a key from your master password with salt that is used to encrypt and decrypt your secret key.
Tiger is a hash function from the mid-1990s. It’s known for its speed and, despite its age, is still considered secure. Tiger can produce 128-, 160-, and 198-bit hashes. Now, there is a new generation of the algorithm, Tiger2.
What happens when password hashes are not salted? Since identical hashes mean identical inputs, your password could be in danger if someone else has already used that password before. In fact, online tools can compare your password hash with over 800 billion cracked hashes to derive the original password.
There’s another way to exploit password hashes. A hacker can calculate values for every combination (a, ab, abc, etc.) and then compare your password hash with the database that they just created. It may be tedious and time-consuming, but it’s also totally doable. That’s why leaving hashes unsalted is really unsafe.
While hashing is a necessary part of cybersecurity, it’s also useful in many other fields. However, hashing does have some big problems when it comes to storing passwords. For example, some companies still use outdated hash algorithms like the MD5, and too many store their user passwords unsalted.
That’s why you should always have multi-factor authentication enabled. If someone figures out your password or a database with unsalted hashes is leaked online, your account will still be secure. In addition, when you want to share files securely, use end-to-end encryption apps like NordLocker.
Elisa Armstrong
Verified author
Elisa’s all about languages. She speaks five, loves stand-up comedy, and is writing her first novel. Besides her extensive knowledge of cybersecurity, she’s an expert in persuasion techniques hackers use and strives to teach people how to avoid online scams.
Popular articles