News & Commentary
12:00 PM
Michael Coates
Michael Coates
Connect Directly

Safely Storing User Passwords: Hashing vs. Encrypting

Securing user information begins with a proper understanding of security controls and the protection of user passwords using modern hashing algorithms. Here's a quick review of the fundamentals.

Over the past several months, we've seen major breaches exposing numerous usernames and passwords. The eBay and Adobe breaches impacted millions of accounts. Snapchat was compromised. With every password breach comes the inevitable question: Were the passwords stored securely? Unfortunately, this simple question is not simply answered.

Though hashing and encryption both provide valuable capabilities, for the vast majority of situations, there is only one right option for storing user passwords for an online application: hashing. This is a one-way function in which a hashed value cannot be reversed to obtain the original input value (i.e., the password). Symmetric encryption is based on the use of an encryption key and is a reversible operation. Anyone possessing the key can decrypt an encrypted value to obtain the original value.

Table 1: Differences Between Hashing and Symmetric Encryption

Hashing Symmetric Encryption
One-way function Reversible Operation
Invertible Operation? No, Yes,
For modern hashing algorithms it is not easy to reverse the hash value to obtain the original input value Symmetric encryption is designed to allow anyone with access to the encryption key to decrypt and obtain the original input value
*See note below on rainbow tables, salts, etc.
Other considerations ·         Hashing algorithm selection ·         Encryption algorithm selection
·         Per User Salt ·         Protection of key
·         Computational difficulty

How does the application authenticate a user with a password hash?
When the application receives a username and password from a user, it performs the hashing operation on the password and compares the resulting hashed value with the password hash stored in the database for the particular user. If the two hashes are an exact match, the user provided a valid username and password.

The benefit of hashing is that the application never needs to store the clear text password. It stores only the hashed value.

Is all hashing created equal?
No. In fact, hashing algorithms can be very different, and not all are appropriate for password storage.

Speed and iterative hashing algorithms
This may be a bit counterintuitive, but older hashing algorithms are too fast. Attackers may not be able to reverse a hashed value to obtain the original input, but they could perform a brute force attack that hashes numerous possible password inputs and checks if they match any of the stolen hashes.

To combat this threat, modern hashing algorithms can perform multiple iterations. This introduces a minor delay for a single hashing operation, but this small delay becomes massive if an attacker is performing a brute force attack. Consequently, iterative hashing algorithms make brute force attacks unrealistic, since they would require hundreds of years or more to complete.

Table 2: Without Salts

User Password Resulting Hash
Joe password123 xyfkdl323...
Sue password123 xyfkdl323...

Table 3: With Salts

User Password Salt Resulting Hash
Joe password123 48a023jl2... ied390fl2...
Sue password123 9fh3ls321... 40akdl23...

Does account lockout have any impact on the security model of password storage?
In short, no. The goal of securely storing passwords is to provide additional defense in the event the password file is ever stolen.

Attacks against password hashes are offline attacks. This means the attackers have already stolen the password file and are using their own computer to attempt various password combinations to find a hash in the stolen password hash file. Since this is an offline attack, controls such as account lockout or captchas provide no value. Those controls are valid only for online attacks against the login page of a running web server.

What are the risks of using symmetric encryption instead of hashing?
By design, symmetric encryption is a reversible operation. This means that the encryption key must be accessible to the application and will be used for every password verification.

If the encrypted passwords are stolen, the attackers only need to determine the symmetric key used by the application. Once that key becomes known, through a breach or through brute force attacks on a weak key, all passwords are instantly decrypted and accessible. This is not a good place to be.

Moral of the story
To store user passwords safely, it is critical to understand the differences between symmetric encryption and hashing. Algorithms such as PBKDF2, bcrypt, and scrypt all utilize per user salts and iterative hashing capabilities to store passwords securely.

The Internet and web applications will become even more important parts of everyday life as they are trusted with increasingly sensitive information. It is imperative that developers and application owners ensure they are doing everything they can to secure user information. This starts with a proper understanding of fundamental security controls and the protection of user passwords using modern hashing algorithms.

Michael Coates is the Chairman of the OWASP board, an international non-profit organization focused on advancing and evangelizing the field of application security. In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack-aware applications ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 12:34:09 PM
Good overview
Thanks for your detailed overview, Michael. You say that to propertly secure user invormation today, application developers must starts with "a proper understanding of fundamental security controls and the protection of user passwords using modern hashing algorithms." What do you think is the biggest misunderstanding of security that app developers have?
User Rank: Author
6/4/2014 | 1:02:50 PM
Re: Good overview
The largest misconception is that since encryption is good for protecting information in some situations it is therefore appropriate for all situations involving sensitive data. As discussed above, encryption is really the wrong choice for protecting passwords.

Second, that any hashing algorithm is sufficient for password hashing. Selecting a weak algorithm like md5 or failing to user per user salts places passwords at extreme risk if the hash file is stolen.

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 2:51:46 PM
Re: Good overview
Thanks, Michael. One of the things I've been hearing about more and more is that personal information has become much more valuable a target for cybercrime than, for example credit cards. If that's the case, then your message about hashing versus encryption is one that InfoSec pros should definitely take to heart. 
User Rank: Apprentice
6/11/2014 | 9:57:04 PM
Re: Good overview

Thank you for a well-written article. I agree that hashing passwords with added salt provides far greater security than simply encrypting passwords. My question is simple: If a malicious actor steals a database of password hashes, won't this database include the salts as well, thereby nullifying the purpose of the salt, which is to defend against brute force dictionary and rainbow table attacks?
User Rank: Author
6/12/2014 | 4:16:00 PM
Re: Good overview
Good question. The stolen database would indeed include the salts. However, exposure of random per-user salts does not undermine their purpose and security benefits.

There are two benefits to using per-user salts

1. When using per-user salts an attacker cannot simply review the stolen password hash databse for duplicate hashes (which would indicate the same original password for both accounts). The introduction of a per-user salt ensures that even the same password will result in unique hashes.

2. An attacker cannot download a rainbow table and use it against the password hashes. A rainbow table is a large database of precomputed hashes for a variety of common passwords (or even all possible passwords of certain character sets and lengths). Without per-user salts an attacker could do a simple lookup of the stolen hash within the rainbow table to determine the original password. The introduction of per-user salts means the rainbow table is useless.

Sure, an attacker could incorporate the salt into a brute force attack. But the purpose of a salt isn't to stop brute force. It's to accomplish the two items mentioned above (duplicate hashes and rainbow tables). As I mentioned in the article, the iterative hashing approach that exists in bcrypt/scrypt/PBKDF2 is the defense against brute force attacks on the password hash.


Hope that helps.


User Rank: Apprentice
6/13/2014 | 9:01:50 PM
Preventing the password file from getting stolen
Thanks for the article,itis very informative and provide details on the foundations related to hashing and encryption.

Considering different chain of thoughts ,along with encryption and hashing that is used to secure passwords it is essential that the password file is well protected SAM file in windows and etc/shadow or etc/passwd file in Linux access must be restricted with multiple layers of defense to prevent it from getting stolen.


Tej Gandhi

Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-09
Simple Streams (simplestreams) does not properly verify the GPG signatures of disk image files, which allows remote mirror servers to spoof disk images and have unspecified other impact via a 403 (aka Forbidden) response.

Published: 2015-10-09
The Telephony component in Apple OS X before 10.11, when the Continuity feature is enabled, allows local users to bypass intended telephone-call restrictions via unspecified vectors.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.

Published: 2015-10-09
The Safari Extensions implementation in Apple Safari before 9 does not require user confirmation before replacing an installed extension, which has unspecified impact and attack vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.