Skip to content
Fast-turnaround security assessments available — 10+ years development & security experienceGet started
Back to Glossary
Glossary2 min read

Hashing

A one-way mathematical function that converts input data into a fixed-length string, used for password storage and data integrity verification.

Hashing is a one-way function that takes an input of any size and produces a fixed-length output called a hash or digest. Unlike encryption, hashing is intentionally irreversible: you cannot recover the original input from the hash. This property makes hashing essential for password storage, data integrity checks, and digital signatures.

How It Works

When a user creates an account and sets a password, the application should never store the plaintext password. Instead, it computes a hash of the password and stores that. When the user logs in later, the application hashes the provided password and compares it to the stored hash. If they match, the password is correct. If the database is compromised, attackers get hashes rather than plaintext passwords.

Not all hashing algorithms are suitable for passwords. General-purpose hash functions like SHA-256 are fast by design, which makes them poor choices for password hashing because attackers can test billions of candidates per second. Purpose-built password hashing algorithms like bcrypt, scrypt, and Argon2 are intentionally slow and memory-intensive, making brute-force attacks orders of magnitude harder. They also incorporate a random salt, a unique value added to each password before hashing, which prevents precomputed rainbow table attacks and ensures identical passwords produce different hashes.

Beyond passwords, hashing verifies data integrity. File downloads include checksums so users can verify the file was not corrupted or tampered with during transit. Git uses SHA hashes to identify commits and ensure repository integrity. Content-addressable storage systems use hashes as keys to detect duplicate data.

Why It Matters

Weak password hashing is a critical vulnerability. Applications that store passwords in plaintext, use unsalted hashes, or rely on fast algorithms like MD5 or SHA-1 put every user at risk if the database is compromised. During security assessments, how an application handles password storage is a key finding.

Choosing the right algorithm and configuration matters. Argon2id is currently recommended for new applications, with bcrypt as a well-established alternative. The work factor should be tuned so that hashing takes at least 250 milliseconds, balancing security against user experience.

Need your application tested? Get in touch.

Related terms

EncryptionHMACIntegrity

Need your application tested?

We find these vulnerabilities in real applications every day.

Request an Assessment