What is the purpose of hashing?

The main purpose of hashing is to verify the integrity of a piece of data.

Since the hash generated is UNIQUE to the input data, it acts as a unique “fingerprint” of the input data.

This makes a hash useful for verifying the integrity of data sent through insecure communication channels like the internet. Data integrity just means that the data has not been altered in an unapproved way.

The hash value of received data can be compared to the hash value of data before it was sent to determine whether the data was altered.

If I post both the message and the hash value I generated from it, you can generate a hash value from the message that you received and compare the hash values.

Using a very simple example, let’s say we’re about to meet up for lunch, and right before I head out the door, I remember our last time together…

Body odor

While your personality was really nice, your smell was not nice at all. 😬

So I want to send you a message, “Please wear deodorant.

But before I send this, I run it through a hash function (SHA-256). The hash is:

33ebb528eab107766343d0ac591952bb68ee959d45b7a8b399628e662f3bc1ef

I send you this hash first.*

THEN I send you the actual text message.

Once you receive my message, you think, “WTF? Did he really just say that to me? Or was the message intercepted during transit and the original message was altered?”

Armpit stinks

So you run the message through the same hash function.

33ebb528eab107766343d0ac591952bb68ee959d45b7a8b399628e662f3bc1ef

You then compare your hash versus the hash that came before the text message.

If both hash values are the same, then this proves that:

  1. The message was sent correctly.
  2. That your armpits really do stink!
  3. The message has not been deliberately altered by someone between me sending it to you and you receiving it.

Of course, in the real world, it is our computers that do all this for us.

And hopefully, you keep your armpits smelling fresh. 😅

*Technically, before I send you the hash, it should be protected in some way, but I wanted to keep the example simple. How the hash stays protected during transit will be covered in a later lesson.

Real-World Example of Hashing: Online Passwords

This might surprise you, but you probably encounter hashing in your daily life….whenever you log in to check your email. 📧

Email uses hashing

When you create an email address and password, your email provider likely does not save your actual password.

Instead, your email provider runs the password through a hash function and saves the hash of your password.

Every time you attempt to log in to your email account, your email provider hashes the password YOU enter and compares this hash to the hash it has saved.

Only when the two hashes match are you authorized to access your email.

Let’s see why they do NOT save your actual password…

Password in Plaintext

If actual passwords are stored, and hackers get into their system, they can steal them. This is definitely not good for users who use the same password for multiple websites!

A solution is to hash the password…

Hash Pasword

By hashing a password, the company protects user information. Even if a hacker breaks into the system, they won’t have access to actual passwords, just the hashes.

Remember, hashes are irreversible so it’s impossible for the hacker to figure out what the actual password is just by looking at the hash. Hashing ensures that the data is stored in a scrambled state, so it’s harder to steal.
Password Hashed and Protected

Whenever you log in, your email provider doesn’t store the plain text password, all they need is the hash.

When you enter your password, it is run through the hash function.

 

The output is matched against the hash that is saved in the database. 

If the hash values are the same, the password is correct.

The wrong password entered would produce a different hash than the one saved. The hashes would NOT match, so your login attempt would FAIL.

So as you can see, a hash function garbles data and makes it unreadable. Even if a hacker gains access to your email provider’s server, the details stored can’t be unscrambled.