Fundamentals of Password Storage and Hash Functions

Passwords are a fundamental component of authentication in IT systems. A core principle of information security is that passwords must never be stored in plaintext. Instead, they are transformed using hashing into a representation that acts as a one-way transformation and prevents direct recovery.

Basic Principle of Password Storage

When storing a password, the system does not save the password itself but a derived value, known as a hash.

During registration, the system computes a hash value from the chosen password and stores only this result. During authentication, the same process is applied again. The entered password is hashed and compared to the stored value. If both values match, authentication is successful.

This approach ensures that the system never needs to know or permanently store the password in plaintext. Even if a database is compromised, the stored values are not directly usable as passwords. However, the actual level of security depends heavily on the chosen hashing function and its configuration.

Hash Functions

A cryptographic hash function is a mathematical algorithm that maps input data of arbitrary length to a fixed-length output. For password storage, three properties are particularly relevant.

A hash function must be designed as a one-way function, meaning that it should not be feasible to recover the original password from the hash value. At the same time, it is deterministic, ensuring that identical inputs always produce identical outputs. In addition, collision resistance is required, meaning that it should be practically impossible to find two different inputs that produce the same hash.

Traditional hash functions such as MD5, SHA-1, or SHA-256 generally fulfill these properties but are not suitable for password storage. The main issue is not their cryptographic structure, but their high computational speed.

Problem of Computation Speed

The efficiency of traditional hash functions becomes a security issue in the context of password storage. An attacker can systematically test large numbers of possible passwords and compare the resulting hashes with stored values.

With specialized hardware such as GPUs or ASICs, billions of hash computations per second are possible. As a result, weak or commonly used passwords can often be identified in a very short time.

Salt

To improve security, an additional value known as a salt is used in password storage. A salt is a random string that is combined with the password before hashing.

The resulting computation follows the principle:

Hash = HashFunction(Password + Salt)

The use of a salt ensures that identical passwords no longer produce identical hashes. This prevents attackers from identifying users who share the same password. In addition, salt prevents the efficient use of precomputed attacks such as rainbow tables, since separate precomputations would be required for each individual salt.

Another important effect is that attack results cannot be reused. Even if a password is successfully recovered for one hash, this knowledge cannot be directly applied to other hashes. Each entry must be attacked individually, significantly increasing the overall effort.

A salt is not secret and is stored together with the hash. What matters is that it is sufficiently long and generated using a cryptographically secure random source.

Modern Password Hashing Algorithms

Because traditional hash functions are not suitable for password storage, specialized algorithms have been developed for this purpose. These algorithms deliberately increase the computational cost of hashing and thereby make large-scale attacks significantly more difficult.

bcrypt is based on Blowfish and allows configuration of a work factor that controls the required computation time per hash. scrypt extends this approach by additionally enforcing high memory usage, making attacks with specialized hardware significantly more expensive.

Argon2 is considered the current state of the art and emerged from the Password Hashing Competition. It allows fine-grained control over computation time, memory usage, and parallelism. In practice, the Argon2id variant is generally recommended.

The key difference compared to traditional hash functions is the intentional increase in computational cost. This significantly raises the effort required for each individual attack attempt and provides a substantial security advantage, especially in large-scale attack scenarios.