Understanding Hash Functions

Hash functions are one-way mathematical algorithms that convert data of any size into a fixed-size string of characters. They are fundamental to cryptography, data integrity, and password storage.

Properties of Good Hash Functions

• Deterministic: Same input always produces same output
• Fast to compute: Quick to calculate hash value
• Pre-image resistance: Hard to reverse (one-way)
• Small changes cascade: Minor input change = completely different hash
• Collision resistant: Hard to find two inputs with same hash

Common Hash Algorithms

MD5 (Message Digest 5)

• Length: 32 hexadecimal characters (128 bits)
• Status: Broken - DO NOT USE for security
• Use case: Checksums only (not security)
• Vulnerability: Collision attacks demonstrated

SHA-1 (Secure Hash Algorithm 1)

• Length: 40 hexadecimal characters (160 bits)
• Status: Broken - deprecated
• Use case: Git commits (legacy), avoid for new systems
• Vulnerability: Collision attacks possible

SHA-256 (SHA-2 family)

• Length: 64 hexadecimal characters (256 bits)
• Status: Secure - widely recommended
• Use case: Certificates, blockchain, data integrity
• Security: No known practical attacks

SHA-512 (SHA-2 family)

• Length: 128 hexadecimal characters (512 bits)
• Status: Secure - high security
• Use case: High-security applications
• Security: Higher security margin than SHA-256

bcrypt

• Format: $2a$10$... (includes salt and cost)
• Status: Secure - recommended for passwords
• Use case: Password hashing
• Features: Adaptive, resistant to brute-force

Argon2

• Format: $argon2i$... or $argon2id$...
• Status: Most secure - winner of Password Hashing Competition
• Use case: Password hashing (recommended)
• Features: Memory-hard, GPU-resistant

Hash Types by Purpose

Cryptographic Hashes (Data Integrity)

Algorithm	Security	Recommendation
MD5	Broken	Never use
SHA-1	Broken	Migrate away
SHA-256	Strong	Recommended
SHA-512	Very Strong	High security
SHA-3	Strong	Modern alternative

Password Hashing

Algorithm	Security	Recommendation
MD5/SHA-1 (no salt)	Insecure	Never use
PBKDF2	Acceptable	If others unavailable
bcrypt	Strong	Recommended
scrypt	Strong	Good choice
Argon2	Excellent	Best choice

Security Considerations

Don't Use Fast Hashes for Passwords

Always Use Salt

Salt is random data added to passwords before hashing to prevent rainbow table attacks:

• Unique salt for each password
• At least 16 bytes (128 bits) of random data
• Store salt alongside hash (it's not secret)

Use Adaptive Cost Factor

Modern password hashing functions allow configurable work factors:

• bcrypt: Cost factor 12-14 (2^12 to 2^14 iterations)
• Argon2: Memory cost, time cost, parallelism
• Adjust over time as hardware improves

Identifying Unknown Hashes

By Length (Hexadecimal)

• 32 chars: MD5 or NTLM
• 40 chars: SHA-1
• 56 chars: SHA-224
• 64 chars: SHA-256, SHA3-256
• 96 chars: SHA-384
• 128 chars: SHA-512

By Format Prefix

• $1$: MD5 crypt
• $2a$, $2b$, $2y$: bcrypt
• $5$: SHA-256 crypt
• $6$: SHA-512 crypt
• $argon2: Argon2
• $pbkdf2: PBKDF2