For what are hash functions?
Hash functions allow developers to do many things securely. In this article, we will cover what they do and how and where those functions are used.
What do they do?
Hash functions take a single letter or a gigabyte file as input. Based on the input, the function will output a random-looking string. The output is always the same provided the input is the same. Every hash has the same length. No matter how small or big the input is.
Use this website. As soon as something has changed in the input field, the webpage will regenerate the hash.
Even the smallest change in the input will cause a completely different output which is called the avalanche effect.
Use cases
Files
Imagine the user is downloading a huge file from the web. How to check if the file did not corrupt while downloading? Check it by generating a hash of the file and comparing it with the given hash on the web page. If only a single bit changed, the whole hash changes. If the hash does not match, the file is not the original.
Nowadays it is relatively rare to find a hash on a webpage.
Steam Platform
When game files have corrupted, how can Steam find the corrupted files and replace them? They collect the hash from each file and compare it to a list of hashes from the server. Then they request files where the hash does not match again. Voulah repaired!
Storing passwords
Preventing co-workers or hackers from reading user passwords is essential. A hash always returns the same string if the input is the same, but you can not generate the hash's input except for trying every possible calculation until there is a match.
When the user does only send the hash of his password to the server, then the server is not even aware of the plain text password — so no one can steal it. Still, the server can authenticate the user.
As soon as all the hash passwords are leaked, attackers will have a though life getting all those raw passwords.
They can check for users who have the same password, by looking for users with the same password hash. Brute-forcing common passwords is another effective way, or by searching pre-generated hash databases on the web. Even a Google search with the hash could do it.
The applications’ server wants to remove every weakness. A common way to achieve this is to append the user id to the raw password, whenever the password gets hashed. Due to the avalanche effect, the hash will look completely different for each user even if users have the same password.
Types
MD5
MD5 is a well-known hash function, which should be avoided using nowadays. The MD5 hash function is close to plain text, because of the unbelievable progress technology makes. Still, it needs time to calculate the original input.
SHA-256
Today SHA-256 is one of the most secure hashing functions in the world. The US government requires its agencies to protect certain sensitive information using SHA-256.
Conclusion
Hashing is a powerful way of doing certain things. If you are doing it right, it is good. Doing it not or wrong can cause disasters, and this is why people should think twice about their database security.
