Hashing — The Magic Password Machine
Hashing is like a cool one-way machine that turns anything into a unique, secret code, but it’s nearly impossible to reverse-engineer the original thing.
Imagine you’re joining a secret club, and to enter the clubhouse, you need a special magic word. But here’s the thing: the club doesn’t want to keep a list of everyone’s magic words because if a sneaky villain found the list, they’d know all the magic words and could sneak into the club!
So, the club has a clever plan. Instead of writing down your actual magic word, they have a special magic machine. Every time you tell the machine your magic word, it makes a secret drawing of squiggles and shapes — let’s call it a hash. The best part is, even if the sneaky villain gets the drawing, they’ll never be able to figure out the magic word just by looking at it.
Here’s how it works:
1. When you join the club:
— You tell the club your magic word, let’s say it’s “dragonfly.”
— The club puts “dragonfly” into the magic machine, and it creates a special drawing, like this: “swirly-squiggle-zap.”
— Instead of writing down “dragonfly,” the club only saves swirly-squiggle-zap in their secret book.
2. When you want to enter the clubhouse:
— You say “dragonfly” again at the door.
— The club puts “dragonfly” back into the magic machine.
— If the machine makes the same “swirly-squiggle-zap” drawing as what’s in the club’s secret book, they know it’s you, and you’re allowed inside!
Even if a sneaky villain tries to steal the club’s secret book, they would all see a bunch of drawings like “swirly-squiggle-zap.” They’d have no idea that your magic word was “dragonfly!”
And to make things even trickier for the villains, sometimes the club adds a sprinkle of magic dust called salt to your magic word before putting it in the machine. This makes the drawings even more unique!
So, whenever you type your password into a website, it’s like giving your magic word to a secret club. They never save the word itself, just the special drawing, so no one can figure out what your password is — even if they find the secret book!
In Real World
When you enter your password on a website, the website doesn’t store the actual password. Instead, it stores a hash of the password.
Here’s how it works step by step:
- During signup:
- You create a password (e.g., “mySecret123”).
- The website uses a hashing algorithm to turn that password into a hash (e.g., “ab12c3def45…”).
- The website stores this hash in its database, not your actual password.
- During login:
- You enter your password again (e.g., “mySecret123”).
- The website hashes the password you just entered using the same hashing algorithm.
- Then it compares this new hash to the one it stored in the database during signup.
If the two hashes match, it means you entered the correct password, and the website lets you in. If the hashes don’t match, it means the password was incorrect.
Since hashing is always consistent (same input gives the same output), it allows websites to verify your password without ever storing or revealing your actual password. Even if someone hacks the database and steals the password hashes, they still wouldn’t be able to easily reverse them back into your real password.
For extra security, many websites also add a salt — a random string of characters mixed with your password before hashing — to make the hashes even harder to crack.
In the next article, we will explore how hash got weaponized with secure constraints.
