What is Hashing?

When you supply your username and password to log on to Windows, how do you think your password is kept private and secure so that it cannot be intercepted or hacked?
It is because your password is not stored and does not travel anywhere. Therefore, it cannot be stolen. At first glance, this may not make sense. How can your password be authenticated if it is never passed or stored? Authentication is possible because, while your password itself is not stored, a hash of your password is stored.


Hashing is the process of translating information into a cryptic value. It is similar to encryption. Hashing is unidirectional process and does not require dehashing or decrypting. It involves mapping input values to hash values or numerical representations of the input value.
Hashing is an industry-supported standard similar to encryption. In hashing, you utilize an algorithm to map input values to a series of known output values. Given the same series of input values, a hash algorithm always produces the same output values. There are several hashing algorithm available in the industry like MD5, SHA1, HMAC, etc.

How hashing works
For example, when you create a user account, the password of the user is not stored. A hash of password is created and stored. When a user enters a password to be authenticated, this password is not transported or stored. Instead of transporting the password in clear text and leaving it vulnerable to interception, a hash of the password is transported for authentication.
The process that authenticates and allows a user to log on creates the hash prior to an authentication attempt. Password entered by user is hashed using the same hashing algorithm that was used to hash the password when that account was created. Therefore, if the password is intercepted, it is not revealed. When the process that performs authentication receives the hash of the password for logon, the entered hash is compared to the hash value stored in the database.
When given consistent input values, a hashing algorithm always produces consistent hashed values. As a result, if the user enters the same password for logon that the user entered when the account was created, the hashes from each should match exactly. If hashes match, the user is authenticated.

To further decrease the vulnerability of such sensitive information, an additional random value is concatenated to the input value. The additional random value concatenated to the input value is called a salt value.

Hash function
The following code shows how to use and implement the SHA1 hash in C#.

string password = "ThisIsMyPassword";

System.Security.Cryptography.SHA1 alg = System.Security.Cryptography.SHA1.Create();

byte[] hashedPassword = alg.ComputeHash(Encoding.Default.GetBytes(password));

StringBuilder strBuilder = new StringBuilder();

for (int i = 0; i < hashedPassword.Length; i++)
   strBuilder.Append( hashedPassword[i].ToString("x2"));

Password = ThisIsMyPassword
Resulting output hash = 30b8bd5829888900d15d2bbe6270d9bc65b0702f


Post a Comment