A Quick Guide to Hashing in Cryptography

Last Updated on July 8, 2023 by Aram

This article provides an introduction and a quick guide to hashing in cryptography.

What is Hashing?

Hashing is a method to convert a given data to a fixed-length data called Hash value or Digest.

A hash function applies advanced mathematical formulas on data to produce the hash value.

Hashing is a one-way method that is practically infeasible to reverse or un-hash.

It might be possible that 2 different inputs would generate the same Hash value, this is known as Hash Collisions.

Hashing in Cryptography

Hashing in general has different use cases and applications in Mathematics, Software Development, File sharing, Networking, and our key topic here Cryptography.

In cryptography, hashing is useful for verifying data integrity, authenticity and secure storage.

A cryptographic hash function does the same work of a regular hash function but with strict security properties.

Properties of Cryptographic Hash Functions

For a hashing function to be considered as cryptographic or secure, it must obtain the following properties:

Collisions Resistance

It should be computationally infeasible to find same hashes for 2 different inputs. In practice, Hashing functions that have reported collisions are no longer considered cryptographic.


It should be computationally very hard and infeasible to reverse the hash.

Avalanche effect

Any bit of change in the data should cause an ‘avalanche effect’ and hugely change the digest.


It should be fairly fast to compute a hash for any given input size.


A Generated hash value should always be the same for the same input.


It should be very hard to predict the input data from its hash.

Use Cases of Hashing in Cryptography

  • Storing & validating Passwords
  • Generating & Verifying Digital signatures
  • Users Authentication and data transfer using JSON Web Tokens (JWT)
  • Blockchain & Cryptocurrencies

Cryptographic Hashing Functions

You can build your own cryptographic hash function, but that would require an advanced knowledge in Mathematical implementation of a strong and secure hashing algorithm.

Instead, you should use a well-known and strong cryptographic hash functions that have worldwide implementations and haven’t been broken yet or collisions detected.

So let’s take a quick look at the available cryptographic hashing functions:

Message Digest – MD

MD Family has 5 hashing functions that have been demoted from being cryptographic.

MD5 hashing in specific is no longer considered secure but it can still be used to verify integrity of files.

Secure Hash Algorithms (SHA)

A series of secure hashing algorithm families starting from SHA-0, SHA-1, SHA-2 and SHA-3.

SHA-2 family includes 6 variants most commonly used are:

SHA-256 and SHA-512.

256 means it will generate a hash value of size 256 bits (32 bytes) while 512 bits will generate 64 bytes of hash value.

SHA algorithms, particularly SHA-2 and SHA-3 are used in:

  • Cryptocurrencies like (Bitcoin)
  • Transport Layer Security (TLS)
  • Internet Security Protocol (IPsec)
  • Digital Signatures using Hashed Message Authentication Codes (HMAC)

SHA-3 family includes 4 variants most commonly used are:

SHA3-256 and SHA3-512.

SHA-3 has similar use cases for SHA-2 and has started to replace SHA-2 wherever is required.

SHA-3 runs on different hashing algorithm than SHA-2 and is reportedly faster than SHA-2 in some architectures.

Both SHA-2 and SHA-3 have been standardized by the National Institute of Standards and Technology (NIST).

Prior versions of SHA, including SHA-0, SHA-1 are no longer adopted and are no longer recommended for security use due to collisions and reported weakness and attacks.

NIST recommends that federal agencies transition away from SHA-1 for all applications as soon as possible.

Attacks on the Cryptographic Hashing Functions

An attack on a cryptographic hashing function is tailored to break any of its security properties.

Rainbow Table Attack

Uses a table of precomputed hash values to find passwords from leaked table of hashed passwords.

Brute-Force Attack

Implies that the attacker will use computing power to keep guessing the password until a match is found.

Collision Attack

Finding 2 inputs that would produce the same hash value is called collision. This attack reported for MD5 hashing function and thus was demoted from being cryptographic, along with being a fast function.

Attacks Mitigation

With Salt and Pepper

Rainbow table attacks are now weak against Salted Passwords.

Salting a password means you apply a cryptographically secure random characters to the password before hashing them.

The Salt is stored beside the hashed password to be used for verifying the password.

Another technique can be used which is peppering (secret salt).

A cryptographic Pepper have similar properties to a salt and can further enhance the salted password security with another level of security.

The difference is that the pepper should be kept secret somewhere other than the database, in case the database was breached with hashes and salts, it will be impossible for the attacker to crack the passwords without knowing the pepper

Brute-force attacks can be weakened and slowed-down by introducing key-derivation functions that implement the key stretching techniques.

Key-derivation functions include PbKDF 2 (with high iterations), scrypt, bcrypt, Argon2id, Balloon Hashing.

Key Stretching

A core technique in the key derivation functions.

It implies strengthening or stretching a weak key, or a password, by applying a secure hashing function a big number of times as well as a secure salt.

This will make it computationally hard and/or require larger memory space to compute the hash, thus making it harder for an attacker to apply brute force attack.

Rate Limiting and Whitelisting

These can further minimize Brute-force attacks as well as Denial of Service Attacks.

Multi-factor authentication

Applying the MFA or 2FA (2-Factor Authentication) can further secure your authentication process. This includes a biometric, and/or a one-time password (OTP) sent to phone, email or authenticator app.


In this article we learned about hashing functions and what it takes to consider them as cryptographic, we got introduced to the different properties of a cryptographic hashing function.

This was only the tip of the iceberg, there is a lot more to learn in this widely important topic in security and cryptography.


Cryptographic hash function

Cryptographic Hash Functions: Definition and Examples

Key derivation function

Password Storage Cheat Sheet


Promote your product, company, or your work in front of Software engineers and technology specialist.

Contact me over aram@codingsonata.com for sponsorship or other collaborations.


Here is a lovely music to enjoy your weekend with.

Leave a Reply