What is a hash function?A hash function is a one-way function that scrambles the data that is passed to it in a way that is impossible to reverse. The key properties a hash function must have are:
- Every time you hash the same data you get the same answer.
- Given a hash of some (unknown) data, it should be (nearly) impossible to guess what the input data was.
Notes for Nerds: most hash functions produce output that is smaller than the input, therefore they suffer from what are known as collisions. A collision is when two different inputs produce the same output. In a collision attack, an attacker tries to find any two inputs that hash to the same value. Some hash functions, for example MD5 have been found to be vulnerable to collision attacks. However guessing the input that produced a given output is called a (first) preimage attack, and these usually require brute-force to perform, i.e. an attacker simply keeps guessing until they get a match, and here the speed with which each individual application of the hash function can be performed becomes critical. Many people consider MD5 to be simply “too fast”, and recommend the use of slower hash functions that make brute-forcing harder. Another way to slow down brute-forcing is to repeatedly apply the hash function many times. This is sometimes called hash-stretching.
How hashes are used to protect passwords
- Take the hash of the original password and store it.
- When the user re-enters their password take the hash of the new password.
- If the new hash matches the old hash then let them in, otherwise refuse entry.
Notes for Nerds: password databases usually also apply salt to the passwords before hashing them. This is a technique that guards against an attack where an attacker precomputes a table consisting of the hashes of a large number of common passwords (like “password123”) and then simply looks up a stolen hash in the table to see which password generated it. To guard against this a large random number (or string) is added to the user’s password before hashing it. This is called a salt, and it must be different for each password. Obviously the salt has to be stored along with the hash otherwise it would be impossible to verify a user’s password, but, even though an attacker will have the salt, because it is different for each password they cannot precompute a lookup table. The attacker’s only option is to brute-force the hash by guessing passwords and hashing them along with the salt. If combined with hash-stretching this can be a very effective technique for protecting passwords.
Do not attempt to invent your own algorithm for storing passwords. There are libraries available for doing this. Speak to a security expert.
Creating hashes in AndroidIn Android hashes can be created using the
Want to keep
University of Southampton online course,
Secure Android App Development
Secure Android App Development
Our purpose is to transform access to education.
We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.
We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.