Don’t encrypt your passwords

Yes, that’s right, do not encrypt your password. Some people in the field still speak about “password encryption”, yet they mean “password hashing”. It close, yet important to use proper wording. This way we can validate not only knowledge, but also if it’s properly applied in our guidelines, standards and especially our operations.

The difference:

Encryption: turn something known, combine it with a password (or password phrase) and turn it into random characters. When trying to receive the original text (plaintext), do a similar exercise, but this time to reverse the random characters into something understandable again.

Hashing: convert some text, like a password, into a fixed size string (the hash). No way to reverse, as the original text might be even bigger than the hash. With no compression technology applied, this means effectively you “lose” data. That’s no problem in this case, as we simply want to determine if a second time results in exactly the same hash (e.g. for an authentication process).