In an era where data breaches dominate tech headlines, you've likely heard that email addresses and passwords were exposed in yet another cyberattack. But what exactly does it mean for a password to be hashed? How is it different from a plain-text password? Let’s dive into the fundamentals of cryptography to understand password hashing, why it matters, and how it protects your digital identity.
Understanding Passwords and Their Security Challenges
A password is more than just a string of characters—it's a key to your digital life. According to NIST, a password is “a string of characters (letters, numbers, and other symbols) used to authenticate identity, verify access authorization, or obtain cryptographic keys.” From email accounts to online banking, passwords are everywhere.
But while entering a password feels simple, securely storing it is far more complex. As users, we must follow best practices: avoid reusing passwords, choose strong and unique ones, and update them periodically. One of the most effective ways to manage this is with a password manager, which helps generate and store secure credentials—putting you ahead of most internet users in terms of privacy protection.
However, even the strongest password can't fully protect you if the service storing it uses poor security practices. This is where password hashing comes in.
👉 Discover how modern encryption keeps your data safe online.
Why Storing Plain Text Passwords Is Dangerous
Imagine you're running a growing online platform. Thousands of users are signing up daily, and you need to store their login details securely. The obvious—but dangerous—approach would be to save passwords in plain text. If hackers ever breach your database, they’d have immediate access to every user's account.
This is why responsible services never store passwords as plain text. Instead, they use hashing: a one-way mathematical process that transforms your password into a fixed-length string of random-looking characters—known as a hash. When you log in, the system hashes your entered password and compares it to the stored hash. If they match, access is granted.
Crucially, there’s no way to reverse the hash back into the original password. It's like blending an apple into juice—you can’t reconstruct the original fruit from the liquid.
At Tuta, we go further by using Argon2, currently one of the most secure key derivation functions available. We hash your password using SHA-256 to create a password verifier, which is then transmitted and re-hashed before storage. This layered approach ensures that even if our database were compromised, attackers couldn’t recover usable credentials.
What Is Password Hashing?
Password hashing is the process of converting a plaintext password into a unique, fixed-size string using a cryptographic hash function. Good hash functions have three key properties:
- Deterministic: The same input always produces the same output.
- Fast to compute: Efficient for legitimate use during login.
- Irreversible: Nearly impossible to derive the original password from the hash.
Common hashing algorithms include MD5, SHA-1, SHA-2, and SHA-3. However, not all are suitable for password storage today.
Think of hashing like cooking: raw ingredients (your password) go through a transformation (the hash function) to become a dish (the hash). Just as you can’t un-bake a cake, you can’t "un-hash" a password.
Hashing is a one-way function. Unlike encryption, there’s no decryption key—it only works in one direction.
When attackers try to "crack" passwords, they don’t reverse the hash. Instead, they run common passwords through the same algorithm and compare the outputs—a method known as a dictionary attack or rainbow table attack.
What Is Salted Hashing?
Here’s where things get smarter: salting.
A salt is a random value added to the password before hashing. Each user gets a unique salt, so even if two people use the same password (like “password123”), their resulting hashes will be completely different.
This defeats precomputed attacks because attackers can’t reuse hash tables—they’d have to generate new ones for each salt, making large-scale cracking impractical.
For example:
- User A:
password123 + salt_X = hash_ABC - User B:
password123 + salt_Y = hash_DEF
Even with identical passwords, the outputs differ.
Salts are typically stored alongside hashes in the database—they don’t need to be secret, just unique per user. This small addition dramatically increases security.
Salt doesn’t just make food tastier—it makes password hashing stronger!
👉 Learn how advanced security protocols defend against modern cyber threats.
Common Attacks on Hashed Passwords
No system is perfect. Even hashed passwords face several types of attacks:
1. Brute Force Attacks
Attackers systematically try every possible combination until they find a match. While time-consuming, powerful hardware (like GPUs or ASICs) can speed this up. Stronger hashing algorithms slow down these attempts by design.
2. Dictionary and Rainbow Table Attacks
Instead of trying all combinations, attackers use lists of common passwords (e.g., “123456”, “qwerty”) or precomputed hash tables (rainbow tables). Salting effectively neutralizes rainbow table attacks.
3. Collision Attacks
A collision occurs when two different inputs produce the same hash. If an attacker finds such a pair, they could log in with the wrong password. Secure algorithms like SHA-256 are designed to resist collisions.
4. Birthday Attack
Based on probability theory, this attack exploits the likelihood of collisions in hash functions. However, for strong modern hashes, this remains impractical.
Popular Hashing Algorithms Compared
Not all hashing functions are created equal. Here’s how major ones stack up:
MD5
Once widely used, MD5 generates 128-bit hashes but is now considered broken due to vulnerability to collision attacks. Despite being deprecated since 2013, MD5 hashes still appear in data breaches—putting millions at risk.
SHA-1
Developed by the NSA, SHA-1 produces 160-bit hashes. It was officially phased out after 2005 due to weaknesses, especially in digital signatures. Avoid it for password storage.
SHA-2 / SHA-256
Part of the SHA-2 family, SHA-256 is currently the standard for secure hashing. It supports 256-bit output and is widely trusted in blockchain and cybersecurity applications.
SHA-3
Released in 2015, SHA-3 uses a different internal structure (sponge construction) and offers robust resistance to known attacks.
bcrypt
Introduced in 1999, bcrypt includes built-in salting and is adaptive—meaning it can be made slower over time to counter faster hardware. Based on the Blowfish cipher, it remains a solid choice for password hashing.
Argon2
Winner of the 2015 Password Hashing Competition, Argon2 is designed to resist both GPU cracking and side-channel attacks. It’s memory-hard, meaning it consumes significant RAM during computation—slowing down brute-force attempts even on specialized hardware.
At Tuta, we use Argon2 to derive encryption keys and enhance account security. By adopting cutting-edge cryptography like Argon2 and maintaining a zero-knowledge architecture, we ensure that no one—not even us—can access your data.
👉 See how next-generation encryption protects your personal information.
Frequently Asked Questions (FAQ)
Q: Can hashed passwords be decrypted?
A: No. Hashing is a one-way process. There’s no key to reverse it. Attackers must guess the original password and check if the hash matches.
Q: Is SHA-256 good enough for password storage?
A: While SHA-256 is cryptographically strong, it’s too fast for passwords. Use adaptive functions like bcrypt, scrypt, or Argon2 instead.
Q: What happens if a website stores passwords in plain text?
A: If breached, all user credentials are immediately exposed. Always assume poor security if a site sends you your password via email.
Q: How do data breaches expose "hashed" passwords?
A: Hackers steal the database containing username/email and hashed passwords. They then attempt to crack the hashes offline using brute force or dictionaries.
Q: Should I trust services that use MD5 or SHA-1 for passwords?
A: No. These are outdated and vulnerable. Reputable platforms should use modern algorithms like Argon2 or bcrypt.
Q: Does salting prevent all types of attacks?
A: Salting defeats rainbow table attacks but not brute force or dictionary attacks. That’s why combining salt with slow, memory-hard functions is essential.
By understanding how password hashing works—and choosing services that implement strong cryptographic practices—you take a major step toward securing your digital life. Always use unique passwords, enable two-factor authentication, and support platforms that prioritize privacy by design.