A cryptographic hash function is an algorithm that takes an arbitrary amount of data input—a credential—and produces a fixed-size output of enciphered text called a hash value, or just “hash.” That enciphered text can then be stored instead of the password itself, and later used to verify the user.
Certain properties of cryptographic hash functions impact the security of password storage.
- Non-reversibility, or one-way function. A good hash should make it very hard to reconstruct the original password from the output or hash.
- Diffusion, or avalanche effect. A change in just one bit of the original password should result in change to half the bits of its hash. In other words, when a password is changed slightly, the output of enciphered text should change significantly and unpredictably.
- Determinism. A given password must always generate the same hash value or enciphered text.
- Collision resistance. It should be hard to find two different passwords that hash to the same enciphered text.
- Non-predictable. The hash value should not be predictable from the password.