Hacker Lexicon: What Is Password Hashing?

Digital megabreaches have lately become so commonplace as to be almost indistinguishable on the alarm scale—a hundred million passwords stolen from one social media service one day, a few hundred million more the next. It all becomes a depressing blur. But not all password disasters are equally disastrous. And the difference between a Three Mile Island and a Hiroshima sometimes comes down to an arcane branch of cryptography: hashing.

When hackers compromise a company to access its collection of users’ passwords, what they find and steal isn’t stored in a form that’s readable by humans—at least if the company has even a pretense of security. Instead, the cache of passwords is often converted into a collection of cryptographic hashes, random-looking strings of characters into which the passwords have been mathematically transformed to prevent them from being misused. This transformation is called hashing. But just what sort of hashing those passwords have undergone can mean the difference between the thieves ending up with scrambled text that takes years to decipher or successfully “cracking” those hashes in days or hours to convert them back to usable passwords, ready to access your sensitive accounts.