Basics of hash functions vs encryption

Keep in mind I’m not talking about a specific app or website. This article serves to simply show why we have certain measures for security systems. This article is meant for educational purposes. There is a major difference between hashing and encryption. Encryption makes text unreadable while still being reversible, All encrypted data can be decrypted(and if done well the attacker should not be able to get the original message for a long time). Hashing is a little different from encryption. The difference is that hashing is a process that jumbles data in a way that is practically impossible to undo. Initially this sounds like a ridiculous idea to jumble text in an unreadable way without being able to reverse it but there are some really good reasons to use it. Hashing in cryptography(study of encryption and data security) is mostly used for document signatures(validating that documents were not tampered with) and password security. For this article I will be talking solely about password security but these ideas will translate to all the uses of hash functions. In the case of securing passwords they should not be encrypted because once attackers get the key(typically these are stored on the same system) they can get the password decrypted and subsequently get into the user's system. With hashing the password is more or less impossible to be undone. The cool thing about hash functions is that they also don't require a key like encryption does. Before we go to the next topic the algorithm SHA uses numbers to specify its configuration. SHA - first number - second number. The first number after SHA is the model of the algorithm and the second number is the length in bits its output is. But typically in documentation the SHA will be denoted as SHA then a number for example (SHA1, SHA2, and SHA3) all denoting the model of the algorithm not mentioning the bit length. In many computer systems passwords(ideally a hashed version) must be stored in the computer and fundamentally many systems will get the user name then the password. The login logic is relatively simple if the password stored is equal to the input of the password and the username is valid to a user in the system let them in. Unfortunately attackers can look at the file containing the password and use it to gain entry to the system. To combat this, hash functions jumble the password so it's not readable(use the links below to see what I’m talking about). So the obvious solution is to just hash passwords right? Wrong, you also need to use a hash function that has been well tested. Some hash functions were not designed for passwords and should be used solely for data structures and non cryptographic reasons. Originally the main goal of a hash function was to make a unique hash output per password, however after further testing over time with these algorithms there is a vulnerability called a “collision” this means that more than 1 password can have the same output. This effectively means that a user can have multiple passwords. This was a problem found in an algorithm called “MD5” and “SHA1”. Years ago it was used because it ran very quickly, however this is a major issue because modern computers can brute force this to gain a valid password. So a more modern algorithm used today is sha2 and sha3. Sha2 is used by most systems; it has been tested to have much less collisions than md5 but it is still possible. For systems with higher security needs sha3 is recommended. Both SHA2 and SHA3 are slower than md5. This helps slow down attackers from gaining a valid password along with preventing users from having multiple passwords. It also prevents attackers from being able to read the password. Keep in mind this is not security advice its just a phenomena that happens with hash functions that is useful to know. This is just a consideration to think about with hash functions, this is not all the problems with encryption or hash functions. Keep in mind these considerations for security are today's standards(as of July 9th 2024). These may change in the future. links MD5 and SHA1 generator: https://www.md5hashgenerator.com SHA2: https://emn178.github.io/online-tools/sha256.html Sha3: https://emn178.github.io/online-tools/sha3_256.html