Difference between Hashing a Password and Encrypting it

前端 未结 9 686
野的像风
野的像风 2020-11-22 02:46

The current top-voted to this question states:

Another one that\'s not so much a security issue, although it is security-related, is complete and abje

9条回答
  •  旧巷少年郎
    2020-11-22 03:24

    Encrypted vs Hashed Passwords

    As shown in the above image, if the password is encrypted it is always a hidden secret where someone can extract the plain text password. However when password is hashed, you are relaxed as there is hardly any method of recovering the password from the hash value.


    Extracted from Encrypted vs Hashed Passwords - Which is better?

    Is encryption good?

    Plain text passwords can be encrypted using symmetric encryption algorithms like DES, AES or with any other algorithms and be stored inside the database. At the authentication (confirming the identity with user name and password), application will decrypt the encrypted password stored in database and compare with user provided password for equality. In this type of an password handling approach, even if someone get access to database tables the passwords will not be simply reusable. However there is a bad news in this approach as well. If somehow someone obtain the cryptographic algorithm along with the key used by your application, he/she will be able to view all the user passwords stored in your database by decryption. "This is the best option I got", a software developer may scream, but is there a better way?

    Cryptographic hash function (one-way-only)

    Yes there is, may be you have missed the point here. Did you notice that there is no requirement to decrypt and compare? If there is one-way-only conversion approach where the password can be converted into some converted-word, but the reverse operation (generation of password from converted-word) is impossible. Now even if someone gets access to the database, there is no way that the passwords be reproduced or extracted using the converted-words. In this approach, there will be hardly anyway that some could know your users' top secret passwords; and this will protect the users using the same password across multiple applications. What algorithms can be used for this approach?

提交回复
热议问题