current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. It's 100% free, no registration required.

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 6 down vote favorite
4

Alright, so I know this may sound dumb, but I'm having a hard time understanding what an encryption would be since it's different from a hash. I've read up on it, but I'm still not quite sure. So, I was hoping you guys could help me with it.

share|improve this question
1  
See: What is a good analogy to explain to a layman why passwords should be hashed? and Why are salted hashes more secure for password storage? – tylerl 8 hours ago
up vote 4 down vote accepted

Encryption vs. Hashing

Nobody really "encrypts" a password, although you could... but you'd be encrypting it with another password, and you would need that password to decrypt the first password. When it comes to passwords, we normally hash them.

  • Hashing is simply one-way. You cannot get the string back, you can only check to see if a string validates against a hash. If your string validates against the hash, this does not guarantee that it's the same "password," but you can log in with it because you've found a collision. The "message"/password is usually limited to a small number of characters, relatively speaking.

  • Encrypting is two-way. For example, you have an algorithm, a key, and a message. Using the key, you can unlock the message. Usually, the message could be of arbitrary size.

Ghetto Flowchart Examples

I made a couple flowcharts that are overly simplified. Hope it helps.

hashing

See the above? It doesn't make any sense that you would get the "message" back. Why? You're already entering the password, which is the "message" itself.

Now look at this:

encryption

With encryption, you're getting the encrypted message back if the key is correct. You don't get the password back, you use it to unlock the contents.

With hashing, you already have the "message" if it validates, or a collision. What you enter is the message.

share|improve this answer
1  
Thanks, I now understand the difference between a hash and encryption! :) Before I wasn't really sure what the difference was, and I wasn't sure if I should keep hashing passwords with a salt or encrypting them. But now I fully understand the difference. – Anthony 9 hours ago
    
Heh, I've been there before! :) Use bcrypt. :D – Mark Buffalo 9 hours ago
    
I've been there before Why do websites store passwords' hashes not their ciphertexts? – Ulkoma 4 hours ago
    
Or you could just encrypt the password with something arbitrary as the key (that you don't save), and suddenly it's like you've hashed it... – Mehrdad 3 hours ago
    
@Mehrdad see the link I posted – Ulkoma 3 hours ago
up vote 2 down vote

A hash is an irreversible process: one function, 'hash' which cannot be "reversed". Once you have a hash, you can only guess the original password via a brute force attack, which involves hashing a variety of possible passwords until you end up with the same hash value, which indicates that the password you guessed is the same as the original.

Encryption is a reversible process: two functions, 'encryption' <-> 'decryption'; that which is encrypted can be decrypted if you have the key; decryption recovers the original password without guessing.

The security of a hashed password depends largely on the amount of computation required to perform the hash function. The more computation required, the longer it takes; since a brute force attack must repeat that computation for thousands or millions of possible passwords, the longer each individual hash computation takes the less practical the attack becomes.

The security of an encrypted password depends on the soundness of the algorithm and the secret of the key.

The benefit of hashing is that no key is required, which improves the overall security of the system - one less secret piece to be kept out of the hands of the attacker.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.