Hash work is done by a computer algorithm, and once the data has been transformed, it can't be returned to the original state.
Common Hashing Algorithms
All hashing algorithms work in a similar manner. Users input sensitive data, and the system churns through and renders that information ineligible. But not all systems are created equal.
Hashing algorithms include:
- MD-5. MD5 is simple, quick, and free to use. It's among the most widely used hash algorithms available, but it's also ripe for hacking. Some experts encourage all companies to pick another method to protect data, but they say about a quarter of all major content systems continue to stick with MD5.
- Secure Hash Algorithms (SHA). The National Institute of Standards and Technology published the first SHA algorithm in 1993. Each new release is followed by a number, such as SHA-0 and SHA-1. In general, the higher the number, the more secure the algorithm.
- Tiger. This algorithm was published in 1995, and it's made for use on 64-bit platforms. It randomizes data in 24 rounds, and it's considered remarkably secure.
Some companies offer further hash strengthening with a technique called salting. Companies that do this:
- Add something. This involves adding a string of unique, random characters to the data they must protect.
- Hash the whole string. The original data with the salt addition moves through the algorithm.
- Store securely. Companies place the salt value on the site, along with the hashed data.
- Repeat. Companies can salt data more than once to offer deeper protection.
Salting is most effective, experts say, when companies use a different salt string for each data point. A password salt, for example, won't be as helpful if each password has the same set of random characters attached. As soon as a hacker figures out that code, all passwords are vulnerable.
Compare & Contrast: Encryption vs. Hashing
Both hashing and encryption scramble data to protect it from hackers. But the way the data is scrambled, and what happens with it after encoding, is different.
|
Encryption
|
Hashing
|
Goal
|
Protect during transport
|
Protect while in storage
|
Decoding available?
|
Yes
|
No
|
Data anonymized?
|
No
|
No
|
Type of key
|
Public and private
|
Private
|
Used for passwords?
|
Yes, while in transit
|
Yes, while in storage
|
If security is the goal, which system works better? Unfortunately, they both have deep vulnerabilities.
Password hashing problems became evident for Poshmark in 2019 when hackers broke through the codes and exposed a significant amount of user data. Poshmark executives told consumers they should change their passwords across their digital lives, especially if they had reused passwords from one site to another.
Breaking a hash means running a computer algorithm through the codes and developing theories about the key. It should be impossible, but experts say some programs can churn through 450 billion hashes per second, and that means hacking takes mere minutes.
Encryption also comes with vulnerabilities. Only about 4 percent of encryption breaches are secure, in which the data is rendered useless. In all other cases, stolen files are quickly decoded and ready for use by thieves.
It's possible that some companies apply encryption for compliance only, so they don't test and alter their systems to prove they work. But it's also possible that encryption isn't as sophisticated as some might hope.
Which Should You Choose?
Answering the question of encryption vs. hashing isn't easy. Protection is the goal, but knowing where to begin can be a challenge.
Consider the data you must protect. Will it:
- Travel? You probably need encryption to keep it secure as it moves from your server to another.
- Remain in storage? You need hashing to ensure that it can't be touched by someone who enters your server with nefarious plans.
Know that you can combine hashing and encryption techniques too. You might use hashing to protect password data on your server, but then you lean on encryption to protect files users download once they have gained access.
Experiment with the systems and methods that keep your data safe and secure. And know that Okta is here to help.
We specialize in security solutions for businesses both large and small. Deploy our solutions out of the box, or let us build something that is right for you and your industry. Contact us to find out more.
References
Encryption: More and More Companies Use It, Despite Nasty Tech Headaches. (April 2015). ZD Net.
History of Encryption. (January 2002). Global Information Assurance Certification.
The Twofish Encryption Algorithm. (December 1998). Schneider on Security.
Does Hashing Make Data Anonymous? (April 2012). Federal Trade Commission.
A Quarter of Major CMSs Use Outdated MD5 As the Default Password Hashing Scheme. (June 2019). ZD Net.
Passwords and Hacking: The Jargon of Hashing, Salting, and SHA-2 Explained. (December 2016). The Guardian.
Password Hashing Does Not Guarantee That Your Data Is Secure. (October 2019). Kansas City Business Journal.
Four Cents to Deanonymize: Companies Reverse Hashed Email Addresses. (April 2018). Freedom to Tinker.
Businesses Fail to Apply Encryption Technology Effectively. (January 2019). Computer Weekly.
Encryption vs. Hashing. (December 2019). Medium.
A Lot of Companies Apply Encryption for the Wrong Reason. (April 2020). Techzine.