Evidence of Learning #4

Date:​ March 15, 2020

Subject:​ Hashing vs Encryption

Citation:
Arias, Dan, and Howdy. “Hashing Passwords: One-Way Road to Security.” ​Auth0​, 30 Sept.
2019, auth0.com/blog/hashing-passwords-one-way-road-to-security/.

Glossary:
Cleartext/Plaintext​: Password in an unencrypted form
Message/Pre-Image​: The input into the hash function (cleartext would be the message in my
case)
Hash​: The function that is outputting the string
Deterministic Function​: A function that produces that given the same input, produces the same
output (Example: Math)
Salt​: Extra characters added to the hash to make it harder to decipher by external threats
Brute Force Attack​: Hacker attack in which they enter random passwords until they find
matching hash
Rainbow Table Attack​: Hacker attack in which they utilize a large database of precomputed ​hash
chains​ to find the input of stolen password hashes.
Hash Chain​: A row in a rainbow table
Collision Attack​: An attempt to find two pre-images that produce the same hash (NOT
DESIRABLE)

Analysis:
This article discusses the difference between hashing and encryption, specifically in
terms of password security. The article begins by emphasizing the importance of not storing
cleartext​ passwords. It then transitions to discussing the process of hashing, specifically how it’s
a highly efficient and secure way to store passwords. The reason for this is because hashes are
extremely difficult to regenerate the original input. The article proceeds to compare the hashing
process to encryption. The main difference between the two processes is that encryption is seen
as a 2 way function, meaning it's able to decrypt and encrypt passwords while hashing only
encrypts. This may seem to be counterintuitive, but hashing is seen as the more secure way to
store passwords because of its inability to be decrypted. In other words, if someone steals the
hashed passwords, they will be unable to decrypt the password as long as it’s ​salted​, making the
passwords highly secure. The article proceeds to discuss different hashing algorithms, such as
Message Digest (MDx) and Secure Hash (SHA). The article provides code examples that explain
the output of these algorithms and its significance to password security. The third major topic of
this article is the explanation of why hashing is irreversible. The article explains this with
modulus, a math function that computes the remainder of the problem. However, since they are
so many problems that can produce a remainder, say of 2 for example, it's practically impossible
to determine that initial problem. This is very similar to the concept of hashing, the product
produced can be created by a large variety of inputs into the function, not just one. Lastly, the
article discusses the limitations of hashing. At this point, the article refers to standard hash
decryption attacks, such as a ​brute force​ and ​rainbow table.​ The article uses these attacks to
emphasize the necessity of adding ​salt​ to hashes. The article concludes by emphasizing the
importance of hashing in password security.

This article was extremely relevant in terms of my original work. Before reading this
article, my mentor had introduced the concept of hashing to me and suggested using it to encrypt
my passwords. This article solidified my understanding of hashing, including its importance and
its implementation by utilizing analogies and providing sample algorithms and their output. Now
being exposed to these industry-standard algorithms, I can implement them into my application
in order to encrypt my passwords. However, most importantly, this article clearly explained how
to use hashing to encrypt passwords. Even though I had read articles before that discussed the
difference between encryption and hashing, I still did not completely understand how this
difference applied to my original work. This article cleared up those misconceptions by
explaining how hashing is actually a more secure encryption because it can’t be decrypted.
Therefore, rather than encrypting and decrypting passwords like I had previously envisioned, the
application will be a vault that can be opened by hashing the user's entered password. Then, the
application will compare this newly inputed hashed password with the hashed password stored
for that username. If they match, the vault will be unlocked and the user will be able to access
their passwords. This process of unlocking the vault will allow me to utilize the security
measures of hashing.

Overall, this article was extremely informative. I was able to learn many new concepts as
seen with the glossary. Additionally, the literacy level of the article was perfect based on my
current understanding of hashing, as I was able to understand even the seemingly complex
aspects of hashing because of the analogies and easy to understand diction. Furthermore, this
article cleared up a vast majority of my confusion regarding the implementation of hashing into
my original work by giving a step-by-step process on how to utilize hashing to secure passwords.
With this newly gained knowledge, I believe I will be able to complete the framework of my
application, which includes the primary functions, generating and encrypting passwords. This
understanding of hashing marks a significant milestone in my original work development,
milestones which I look forward to meeting in the upcoming weeks.