15 min read

Understanding Password Encryption and Hashing: A Complete Guide

Dive deep into the cryptographic techniques that protect your passwords. Learn how hashing, salting, and encryption work together to secure your data.

The Fundamental Difference: Encryption vs Hashing

Many people use "encryption" and "hashing" interchangeably when discussing password security, but they are fundamentally different concepts with distinct purposes.

Encryption

  • ✓ Two-way process (reversible)
  • ✓ Requires a key to decrypt
  • ✓ Used for data in transit
  • ✓ Example: AES, RSA
  • ✗ NOT for password storage

Hashing

  • ✓ One-way process (irreversible)
  • ✓ No key needed
  • ✓ Used for password storage
  • ✓ Example: bcrypt, Argon2
  • ✓ CORRECT for passwords

Why Passwords Should Be Hashed, Not Encrypted

Passwords should never be encrypted because encryption is reversible. If an attacker gains access to your database and the encryption key, they can decrypt all passwords. Hashing is one-way—even if attackers steal the hash database, they cannot reverse the hashes to get the original passwords.

How Password Hashing Works

When you create an account, here's what happens behind the scenes:

Password Storage Process:

  1. 1. User enters password: "MySecurePass123!"
  2. 2. System generates salt: Random data added to password
  3. 3. Hash function applied: bcrypt(password + salt)
  4. 4. Hash stored in database: "$2a$12$KIXxPq7..."
  5. 5. Original password discarded: Never stored anywhere

Password Verification Process

When you log in:

  1. You enter your password
  2. System retrieves stored hash and salt from database
  3. System hashes your entered password with the same salt
  4. System compares new hash with stored hash
  5. If they match, access granted; if not, access denied

Modern Hashing Algorithms

1. bcrypt (Recommended)

bcrypt is the gold standard for password hashing. It's specifically designed to be slow, which makes brute-force attacks impractical.

  • Adaptive: Can increase computational cost as hardware improves
  • Built-in salt: Automatically generates and stores salt
  • Work factor: Configurable rounds (typically 10-12)
  • Battle-tested: Used by major companies for decades

Example bcrypt hash:

$2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW

Format: $algorithm$cost$salt+hash

2. Argon2 (Most Secure)

Argon2 won the Password Hashing Competition in 2015 and is considered the most secure option today.

  • Three variants: Argon2d, Argon2i, Argon2id (recommended)
  • Memory-hard: Requires significant RAM, making GPU attacks difficult
  • Configurable: Time cost, memory cost, and parallelism
  • Resistant to: Side-channel attacks and GPU cracking

3. PBKDF2 (Legacy but Acceptable)

PBKDF2 is older but still acceptable when configured correctly. It's FIPS-approved, making it popular in government and enterprise settings.

  • Iterations: Minimum 100,000 (preferably 600,000+)
  • HMAC-based: Uses SHA-256 or SHA-512
  • Compliance: Meets regulatory requirements
  • Limitation: More vulnerable to GPU attacks than bcrypt/Argon2

❌ Algorithms to AVOID

Never Use These for Passwords:

  • MD5: Completely broken, can be cracked instantly
  • SHA-1: Deprecated, vulnerable to collision attacks
  • Plain SHA-256/SHA-512: Too fast, no salt, easily brute-forced
  • Plain text: Absolutely unacceptable (yes, some sites still do this!)

The Critical Role of Salt

A salt is random data added to passwords before hashing. Without salt, identical passwords produce identical hashes, enabling rainbow table attacks.

Why Salting Matters

Without Salt (Vulnerable):

User1: "password123" → hash: 482c811...

User2: "password123" → hash: 482c811... (same!)

Attacker can crack one and get both passwords

With Salt (Secure):

User1: "password123" + "x8Kp2" → hash: a7f3d9e...

User2: "password123" + "mQ9vL" → hash: 2c8e1f4... (different!)

Each password must be cracked individually

Salt Best Practices

  • Unique per password: Never reuse salts
  • Cryptographically random: Use secure random number generators
  • Sufficient length: Minimum 16 bytes (128 bits)
  • Stored with hash: Salt doesn't need to be secret

Pepper: An Additional Layer

A pepper is a secret key added to passwords before hashing, stored separately from the database. Unlike salt, pepper is:

  • Same for all passwords: One pepper for entire system
  • Kept secret: Stored in environment variables or key management system
  • Not in database: Protects against database-only breaches
  • Optional but recommended: Adds defense-in-depth

Attack Vectors and Defenses

1. Brute Force Attacks

Trying every possible password combination. Defense: Use slow hashing algorithms (bcrypt, Argon2) that make each attempt expensive.

2. Dictionary Attacks

Trying common words and passwords. Defense: Enforce password complexity requirements and use password generators.

3. Rainbow Table Attacks

Using precomputed hash tables. Defense: Always use unique salts per password.

4. GPU/ASIC Attacks

Using specialized hardware for parallel cracking. Defense: Use memory-hard algorithms like Argon2.

Implementation Best Practices

For Developers

  1. Never roll your own crypto: Use established libraries
  2. Use bcrypt or Argon2: Not plain SHA-256
  3. Configure work factors appropriately: Balance security and performance
  4. Upgrade algorithms over time: Re-hash on user login
  5. Implement rate limiting: Prevent rapid-fire login attempts
  6. Use HTTPS everywhere: Protect passwords in transit
  7. Never log passwords: Not even in error logs

Recommended Libraries:

  • Node.js: bcrypt, argon2
  • Python: bcrypt, argon2-cffi
  • PHP: password_hash() (uses bcrypt)
  • Java: Spring Security, jBCrypt
  • .NET: BCrypt.Net, Konscious.Security.Cryptography

For Users

  • Use long, random passwords: Makes hashing irrelevant if password is uncrackable
  • Enable 2FA: Protects even if password is compromised
  • Use unique passwords: Limits damage from breaches
  • Check for breaches: Use Have I Been Pwned

The Future of Password Security

The industry is moving toward passwordless authentication:

  • WebAuthn/FIDO2: Hardware security keys
  • Biometrics: Fingerprint, facial recognition
  • Passkeys: Cryptographic keys stored on devices
  • Magic links: Email-based authentication

However, passwords will remain relevant for years to come, making proper hashing critical.

Generate Secure Passwords

Create cryptographically secure passwords that are resistant to all attack methods.

Conclusion

Understanding password hashing is crucial for both developers and security-conscious users. Passwords should always be hashed (not encrypted) using modern algorithms like bcrypt or Argon2, with unique salts for each password.

For developers: Use established libraries, never roll your own crypto, and stay updated on best practices. For users: Create strong, unique passwords and enable two-factor authentication wherever possible.

The combination of proper hashing techniques and strong passwords creates a robust defense against password-related attacks. While no system is completely unbreakable, following these practices makes attacks impractical and protects your data effectively.

Related Tools