Hashing vs Encryption vs Salting – What’s The Difference?
The prime aim of organizations of the present era is to have strong cybersecurity protection. It doesn’t matter whether you’re a startup or an enterprise; if you deal with data, you need to learn the best options offered that will help you improve your cybersecurity profile. However, the copious offerings of cybersecurity solutions can create huge confusion.
Willing to have a sound cybersecurity strategy? In this post, we will bring clarity on dilemmas like:
- Which one is better – encryption v/s hashing
- How these three work together
- What made salt hashing so famous instantly
if yes, invest your next 10 minutes in reading about hashing, salting & encryption in detail. Gear up for a long and informative post.
Offered as a viable means to make data inaccessible to unauthorized resources, hashing involves adding a mathematical function to the targeted data so that it becomes a key. The hash functions are strings with no fixed patterns. Once data is converted into the key, it’s not possible to revert the action. Hence, hashing is a non-convertible and one-way process.
The generated hash keys are mostly saved as a database. End-users can only use these keys to validate the primary information. Login password storage is the customary application of hash keys.
They decide the procedure of performing hashing.
Based on the operations and security offered, hashing tends to have multiple algorithms to use. We suggest the most-used types publicly:
It came into being to fix the potential issues of MD4. Very popular due to its use at Facebook, this algorithm only created 128-bit outputs for assorted inputs. With its full form as Message Digest 5, the algorithm is mostly preferred for verifying the integrity/correctness of data.
It lacks comprehensive data security. Despite that, MD5 is a very broadly used algorithm. The reason is - the encrypted text cannot be reversed back to its actual form if MD-5 is used. Most of the social media platforms and various other platforms use it for storing the encrypted version of passwords and fingerprint data.
An utterly secure hash algorithm, SHA-2 is used by high-end security seekers. It’s practically unbreakable. Many versions of this algorithm exist, and each version varies in length. To give you an example, SHA-256 deals in 256 bits length.
E-mail encryption methods, blockchain technology, data authentication, and password encoding can be considered a few good examples here. SHA-2 is also used by the USA government to encrypt official and highly-confidential data. It is also used often in all domains of the cyberworld that are common parts of our daily lives.
CRC stands for Cyclic Redundancy Code. It’s well-known for assorted spreading characteristics and swift file transfer. The algorithm generates a fixed-length binary code that is short and useful for verifying/checking the authenticity of data. However, due to its limited capability, it is not used much in real life, especially for hashing.
Based on a 192-bit hashing system, Tiger was an algorithm designed back in 1995. It’s behind every modern-era data-driven device. Its super-sonic speed and unmatched efficiency is the reason behind its huge popularity. Recently, an advanced version, Tiger 2, was launched.
This hashing algorithm version came into being in 1990 and has gone through multiple changes. Based upon the bit length used, we have RIPEMD-160, 320, and 256 versions. Higher is the output length, and improved is the security coverage.
This one operates with a speed similar to RAM and is non-cryptographic. Presently, four versions of this algorithm exist. The best thing about xxHash is its low complexity and high speed of execution. It can work at the system's RAM’s speed. However, it is suggested to not use it in HMAC.
To prevent speedy attacks, BCrypt is an intentionally slow algorithm. So, you can think of it as an opposite of the previously-covered algorithm in this list. Speed is slowed down to delay the password decoding as much as possible. For this, a fusion of hashing and salting (explained later in this article).
Those who are looking for a straightforward algorithm must consider Argon2 as it’s a highly adaptive algorithm. It won 2015’s pwd hashing competition due to its efficacy.
One can easily pair any of the 3 Argon2 variants with a work factor. Its different versions have different execution speed.
Alright. Now, you already have a fair idea of top methods used for hashing, but why do cybersecurity experts and researchers focus a lot on it? Well, the reason lies in what they want to achieve through it, i.e. the aim of hashing. Lets elaborate it next.
The prime aim of hashing is to make password storage secure. Whenever a website-specific password is created, it’s stored automatically in a hashed format in the website’s cache data after passing through the hashing algorithm.
As the key is only once generated and can’t be retrieved, passwords can’t be retrieved, and hackers will have no success even if the attack is successful. This way, the hash algorithm protects the user passwords saved on a website.
Hash algorithm understanding isn’t completed without mentioning its drawbacks. Hash collision is one of them. It’s the term used to refer to the incidence of producing identical output for two distinct inputs. Hence, it’s not easy to determine for which input you have the output.
One key reason behind this is locality-sensitive hashing. It’s a kind of hashing that involves putting look-alike inputs together. Regardless of the reason behind the hash collision, this is something that you need to fix as threat actors can easily decode a password if a hash collision exists.
This term refers to the process of generating a purely dissimilar hash after doing any minor change in the input. The newly-created hash will share no similarities with the previous hash, which makes it hard to recognize. From digital security’s perspective, the avalanche effect is good as hackers won’t be able to guess because two different hashes are involved.
Think of a plain message that an army officer wants to send to its peer during the war time. If the messenger is caught by enemy and the message is leaked, it will result in a big trouble, won’t it be?
So, to avoid the trouble, the sending and receiving parties can create a formula for encoding and decoding of the messages they will be exchanging. thereafter, even upon seeing the secret message, the enemy won’t be able to comprehend it.
In digital world, this formula is called ‘key’ and this encoding plus decoding is ‘Encryption.’ It is a reversible and two-way process, meaning that plain text to cipher text and vice-versa conversion is possible. You will be able to encrypt & decrypt information with ease and perfection.
Technically, the method also involves converting the plain content into cipher so that the text becomes unreadable for humans, incomprehensible for machines, and hard to guess. The cipher text is created by applying the mathematical formula on normal text/data.
Hope you’re clear about the definition. Now is the time to explain how the process is completed. well, there are multiple paths to achieve the encoded output.
Here are some of its key varieties:
- Symmetric Encryption
It is modern-day technique that utilizes just 1 key through and through. For encrypt & decrypt process, the same function will be used. It’s thought of as a highly advanced method and is used globally.
- Asymmetric Encryption
It is about producing distinct keys (public & private) and using them for distinct usage.
To elaborate, the public ones, as clear from the name, are accessible while private ones are never shared. This method is very old and in use for long.
- Hybrid Encryption
You might have got an idea that the hybrid version combines the previous 2 methods, and you are absolutely correct.
The technique is the mix of public key and systematic key encryption. It proffers the best of these two worlds as encryption is as speedy as systematic encryption while it’s as flexible as public key encryption.
- Probabilistic encryption algorithms
They follows a random pattern to generate dissimilar ciphertext each time an execution takes place. The problem with this option is that converting the ciphered text back into plain text is easy and feasible - not a really good thing from a security point of view.
- Deterministic encryption algorithms
As the name suggests, these are resolute to deliver the same ciphertext for the same plain text. Hence, it has high predictability and hackers can easily decode it.
Encryption lives to safeguard susceptible information and make it inapproachable to hackers. Mostly, websites use it for password storage, on the payment page, and on the login page so that the data these pages are transmitting is not smoothly obtainable to cyber criminals.
When plain text is entered as input, the mathematical formula alters the plain text into scrambled text. To make ciphered or scrambled text readable, one will require a key.
In a very rare case, threat actors will have that key. Hence, the sensitive or mission-critical data stayed shielded.
An algorithm/pattern/formula is the core of any procedure. In the case of encryption, each such algorithm functions differently and has a distinct security reach. Hence, if you want to safeguard your or your end-users’ account/data, you first need to comprehend them and their effectiveness.
It is a powerful and useful, both. That’s the reason for its continued use till the date (from 1998).
AES is generally-used and is symmetric, is its nature is considered. This modern-day encryption lives in two versions, AES-128-bit and AES-256-bit.
The first version is well-known for its finer performance, while the AES-256 bit is more secure. Sound protection against Brute-force type of attacks is the core promise of AES.
- Triple Data Encryption Standard
You might have guessed something from its name already, isn’t it? Well, let us explain.
Its automated cryptography encoding can encrypt a single data block 3 times. The key used in its applications is more than normal size so that improved security is offered.
To clarify, the method is symmetric and its data block’s size (processing capacity) is 64 bits.
- RSA - Rivest-Shamir-Adleman
RSA is the favorite of various development and cybersecurity professionals. If you are among them, you will agree for sure.
RSA is an asymmetric type and traditional algorithm that makes use of separate encrypting-specific and decrypting-specific keys. It ensures protecting data by performing factorization.
Unlike the previously-explained 2 methods of data encoding, it operates in an entirely different manner. It’s used to make these two stronger than before. It was designed to deactivate the rainbow table that’s every threat actor’s favorite while failing to hash.
To deactivate the hashing algorithm, hackers often use previous codes/hashes to reverse-engineer the main password. They often make use of general password hashes or dumps of hashes - the ones generated with hashing algorithm’s help. This data is a part of rainbow list. Hackers compare both these lists, and if a match is found, be assured that an attack is in progress.
Salting’s purpose is to stregthen the hash algorithm for higher security so that it can’t be a part of the rainbow table and assist threat actors in planning an attack.
What is Password salt?
It is the term used for the process of incorporating added random characters to the intended password so that it can’t be accessed to get matched with the rainbow table. Adding extra characters to the password works so great that it will make the password inaccessible, even the ones in the rainbow table.
We can’t exclude the thought that the threat actor will also try to add extra symbols/characters find the real password. But, it demands huge efforts and time, which no hacker is willing to give. Hence, salting the password is an easy and assured way to boost hashing passwords’ security.
However, you must ensure that recurring and predictable salts aren’t applied to the password. If this happens, salting becomes useless.
Encryption vs Hashing - What's the difference?
As both methods involve turning data into a scrambled form, one might consider these two the same. However, there is a distinction you must know about:
Data is encrypted twice while it’s only hashed once.
One can encrypt/decrypt a piece of data, meaning that the original text can be retrieved back. However, retrieval of plain text isn’t possible if data is hashed once.
Combination of salting and hashing
Considering the number of cyber threats that businesses are experiencing presently, it’s imperative to adopt the best cybersecurity practice. Having a single security approach isn’t always the right deal to make. Gladly, one has easily combined hashing and salt encryption and experienced heightened security.
Salting, applied to hashed password, only demands adding extra character. This minor change makes hashed passwords so strong that it becomes inaccessible for hackers or cybercriminals. For guessing that an additional character is added, hackers have to compare tons of tables and passwords, which is too tedious. Hence, combining salting and hashing is preferred for sensitive information.
We know that hashing, salting and encryption are not very simple concepts to understand at once. Though the above article is detailed and precise, you might still want a quick brief for your reference. So, we have prepared a comparison table.
Have a look at this table (encrypt vs hash vs salt) to revise the differences between the 3 techniques all quickly.
Subscribe for the latest news
Our recent webinar with the industry overview and product demo.
Solution brief on protecting apps and APIs with Wallarm.