Introduction
Hashing turns input of any size into a fixed-size fingerprint. It’s used for checksums, deduplication, and password storage (with the right algorithm). Here's the idea and how it's used in practice. Choosing the right algorithm matters: use SHA-256 or SHA-3 for integrity and fingerprinting, and a dedicated password hashing function (bcrypt, Argon2) with a salt for passwords. We'll spell out the difference and how to use hashes without shooting yourself in the foot.
What Is What Is Hashing
A hash function takes an input (string, file, etc.) and produces a fixed-length output (the hash or digest). The same input always gives the same hash; a tiny change in input should change the hash completely. Good hash functions are deterministic, fast to compute, and make it infeasible to find two inputs with the same hash (collision resistance).
Why It Matters
Hashes are used to verify integrity (did the file change?), to index and deduplicate data, and in security (password hashing, HMACs). Choosing the right algorithm (e.g. SHA-256 for integrity, bcrypt for passwords) matters for correctness and security.
How to Calculate It
Real-Life Example
Downloading a file: the site gives you SHA-256: a1b2c3.... After download, you hash the file locally. If the result matches, the file is unchanged. For passwords: on signup you hash the password with bcrypt and store the hash. On login you hash the submitted password and compare with the stored hash; you never store the plain password.
Common Mistakes
Using a fast hash (e.g. MD5, plain SHA-256) for passwords—use bcrypt, Argon2, or similar. Not using a salt for password hashing. Comparing hashes with == in a way that’s vulnerable to timing attacks (use constant-time compare). Assuming hashes are reversible; they’re not.
Practical Tips
- Use SHA-256 or SHA-3 for integrity and fingerprinting.
- For passwords, use a dedicated password hashing function (bcrypt, Argon2) with a salt.
- Never store plain passwords; store only the hash (and salt).
- Use constant-time comparison for security-sensitive hash checks.
- Treat MD5 and SHA-1 as broken for security; use them only for non-security checks (e.g. dedup).
FAQs
Conclusion
Hashing gives you a fixed-size fingerprint of data. Use it for integrity and dedup; for passwords use a slow, salted password hash. Pick the right algorithm for the job.