Table of contents
Start for free
- They must be deterministic - meaning if you hash some data a to become h(a) , a must always hash to the same value.
- They must be collision resistant - meaning that if you hash two different values a and b where a ≠ b , the probability that h(a) === h(b) must be very low (to be more precise, it must be less than 1 divided by the number of possible outputs).
- They must not be reversible - meaning that if you have a hash value h(c) , the probability of knowing c is less than 1 divided by the number of possible hash outputs.
Different types of hash functionsChoosing a hash function must be done depending particular needs and constraints. For example, for simple message transfers or verifying data integrity, using a fast hash function - like MD5 - can be a good option. In other cases, like computing salted password hashes for user authentication, a fast hash function can lead to major security risks, like an increased risk of brute force attacks.MD5 (Message Digest Algorithm 5):
- Outputs a 128-bit (16-byte) hash.
- Vulnerable to collisions + brute force attacks.
- Outputs 160-bit (20-byte) hash.
- Slower than MD5 but has demonstrated cryptographic attacks.
- Not recommended for use due to known collisions.
- Part of the SHA-2 hash function family.
- Outputs 256-bit hash, which adds additional security compared to SHA-1.
- Widely used in cryptographic contexts - certificates, protocols, verifying authenticity.
- Slower than MD5 and slower than SHA-1.
- Latest Secure Hash Algorithm function.
- Outputs 512-bit hash.
- SHA-3 is a part of the broader cryptographic primitive family Keccak.
- Similar performance to SHA-2, including SHA-256.
- Faster than MD5, SHA-1, SHA-2, and SHA-3.
- At least as secure as SHA-3.
- Generally quite widely recommended by cryptographers.
- More than just hash functions: These are adaptive hash functions that can adjust the computational complexity depending on the context.
- As a result, these functions are often used for password hashing because of this property, as it helps prevent brute-force and rainbow table attacks.
- We won’t cover these two functions as they are key derivation functions instead of hash functions. However, if you are looking to convert a password into a cryptographic key, these two functions are widely used, with Argon2 being the current state of the art.
Open-source hashing libraries
Using skiff-crypto for simple, reliable hashesWe’ve published the library skiff-crypto to simplify good cryptography practices. Skiff-crypto has powerful functionality for:
- Asymmetric encryption - Creating keypairs for signing and encryption, then encrypting data using public keys.
- Symmetric encryption - Encrypting objects, text, and more.
- Datagrams - Managing object versions, fields, and metadata.
- Hashing - Generating cryptographically secure hashes.
How to use a hash function
Password hashingHashing is frequently used to authenticate users without storing plaintext passwords (an incredibly insecure practice that is never recommended). Instead of storing passwords directly as plaintext, a secure hash of each password is stored. In this case, choosing a hash that is resistant to brute force attacks is quite important. When a user inputs their password, the password is hashed and compared to the stored hash, verifying the user without exposing the actual password. Note that secure authentication practices also recommend salting passwords, which is not covered in this guide.
Fast data lookupHashing is widely used in map-based data structures, like hash tables, to quickly retrieve stored data. Hashing can convert keys into array indexes, allowing for near-instantaneous lookup, insertion, and deletion operations. Hash functions can even convert objects to array indices, making them powerful options for storing data. Many programming languages include HashMap support for this reason.Questions?We hope this guide was helpful. If you have any questions, reach out to [email protected], open an issue on the skiff-crypto GitHub, or post on our Reddit/Discord/Twitter.
Jason GinsbergThe four biggest cloud security threats and how to prevent themVarious cloud security threats can put your data at risk, but most are preventable. Learn about the common dangers and how to mitigate them.
Andrew MilichWhat is encrypted search?Searching over encrypted data is a unique challenge. What algorithms make it possible?
Andrew Milichskiff-crypto is open-source and MIT licensedOur cryptography libraries are open-source, MIT licensed, and available online.
Nishil ShahTotal Privacy - No Ph.D. RequiredAn Interview with Skiff’s Director of Security.
Andrew MilichWhat’s zero knowledge cloud storage, and how does it work?Zero-knowledge encrypted cloud storage provides critical privacy and security benefits. How does it work, and what are the best end-to-end encrypted cloud providers?
Andrew MilichPCMag Editor’s Choice and moreSkiff was selected for the PCMag Editor's Choice award.