What's the difference between Encrypting, Hashing and Salting passwords?
When it comes to storing passwords securely, three phrases get bandied about - and often confused.
Encryption, Hashing and Salting are all useful techniques. However there is a right time and a wrong time to use them, depending on what you're trying to achieve.
Encryption means scrambling data so that it can only be decoded by those who have the key. This protects it from unauthorized parties - but you have to protect your key.
Hashing, in cryptographic terms, is a one-way transformation that cannot be reverse-engineered. It's great for online authentication and adding trust, such as ensuring a download hasn't been tampered with. For instance, you may have seen a "MD5 value" given to a piece of open-source software.
However, the hash value of "P@ssw0rd1" is always going to be the same, so if your attacker has a big old database of password hashes (which they will do) then hashing passwords isn't enough.
So that brings us to "Salting" which involves adding random "noise" to your data before you hash it. This is the recommended way to store passwords securely, as it makes brute-forcing hashed passwords almost impossible.
