Back to all guides
IntermediateAuthentication14 min read

root@css:~$ cat /etc/shadow

Password Security & Hashing Explained

Understand how passwords are stored, why hashing and salting matter, and how to build genuinely strong authentication for your own accounts.

What you'll learn

  • >Explain the difference between encryption and hashing
  • >Understand salts and why they defeat rainbow tables
  • >Adopt a practical strong-authentication routine

Passwords are the front door to nearly every account you own. Understanding how they are stored — and attacked — turns vague advice like "use a strong password" into something you actually understand and act on.

1. Hashing is not encryption

Encryption is reversible: with the key, you get the original back. Hashing is a one-way function: you cannot reverse a hash to recover the input. Well-designed systems never store your actual password — only its hash.

bash
# The same input always produces the same SHA-256 hash
echo -n "hunter2" | sha256sum
# f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7

// note: Fast hashes like SHA-256 are great for file integrity but weak for passwords. Real systems use slow, purpose-built algorithms such as bcrypt, scrypt, or Argon2 to make guessing expensive.

2. Why salts matter

A salt is a random value added to each password before hashing. Without salts, two users with the same password get the same hash, and attackers can use precomputed "rainbow tables" to crack many accounts at once. A unique salt per user makes those tables useless.

output
user A: hash( "password" + "x7Gk2" ) -> a1b2c3...
user B: hash( "password" + "9Qm4Z" ) -> d4e5f6...
         same password, completely different stored hash
How a per-user salt changes the stored value

3. Building strong authentication

  • Use a password manager to generate long, unique passwords (16+ characters) for every site.
  • Prefer passphrases — four or more random words — when you must memorize a password.
  • Enable multi-factor authentication (MFA) everywhere, preferring an authenticator app or hardware key over SMS.
  • Never reuse passwords; one breached site should never compromise another.
  1. 1Install a reputable open-source password manager.
  2. 2Change the passwords on your three most important accounts (email first) to long, unique values.
  3. 3Turn on MFA for each of those accounts.
  4. 4Check whether your email has appeared in known breaches and rotate any reused passwords.

// warning: Your email is the master key — password resets for everything else flow through it. Secure email with MFA before anything else.

// ethics_notice: Practice only on systems you own or are explicitly authorized to test. These materials are for education and defense.

Next tutorial

Capturing & Reading Traffic with Wireshark