two passwords with the same hash: is it possible ?

Can Two Passwords Have The Same Hash? (Why?)

As you may already know, most passwords are stored hashed by the developers of your favorites websites. It means they don’t keep the password you chose in a plain text form, they convert it into another value, a representation of this password. But in the process, can two passwords have the same hash representation? That’s what we’ll see in this article.

Two passwords can produce the same hash, it’s named a “hash collision”. In this case, both passwords can be used to log in to the corresponding account. It’s extremely rare for most hashing algorithms, but it may happen.

In the following of this article, we’ll take a step back and see why these cases can happen.

Master Ethical Hacking Skills!
Join the Complete Ethical Hacking Course Bundle and step into the world of cybersecurity.
Learn to think like a hacker and protect systems with this comprehensive course.

Table of Contents

Master Linux Commands
Your essential Linux handbook
Want to level up your Linux skills? Here is the perfect solution to become efficient on Linux. 20% off today!

Download now

Can Two Passwords Share The Same Hash?

Hashing Algorithms Reminders

A hashing algorithm is a one-way cryptographic function, that convert any text input to a representation of it. There is no reverse function (to get the text back from the representation), that’s why it’s often used to store passwords in a database.

Your Go-To Linux Command Reference!
Download your exclusive free PDF containing the most useful Linux commands to elevate your skills!

Many algorithms have been created over the years, but basically, they all work the same way for the end-user (generally a developer). They convert a string to a fixed size representation of it.

For example, MD5 was a popular hashing algorithm, that convert something like “infosecscout” into a string like “0fa6a5d3d5b1372077300af64ab8565e“. You can use MD5 functions in your code, or MD5 online tools to try this.

Hashing Functions Examples

Let’s take an example, if you need something more visual to understand the issue here (or the non-issue).
Let’s say your password is “azerty123”, which is a terrible password, but it doesn’t matter for this example. In theory, no website or app will store your password as it is, they will generally “convert” it to a hash representation, using any hash function they think are safe enough to do this.

Here is what this representation looks like with popular algorithms:

  • MD5: 882baf28143fb700b388a87ef561a6e5
  • SHA-1: 3b004ac6d8a602681f5ee3587c924855679e21d9
  • SHA-256: f3029a66c61b61b41b428963a2fc134154a5383096c776f3b4064733c5463d90
  • Bcrypt: $2a$10$XyoOPNRz27wsM9innHTSP.d3.ldFy8hgxLDfb3GVGPu.XS5R6Sfoa

Each algorithm use different characters set and length to hash your password, but basically, they work the same way.

Why Two Passwords Can Have The Same Hash

Two passwords can have the same hash if there is a collision. For example, the MD5 algorithm take any string, from any length, and convert it into a 32 hexadecimal characters string. As the list of possibilities is way bigger on the input side than on the output, there is no way you will never get the same output twice for two different input strings.

Your Go-To Linux Command Reference!
Download your exclusive free PDF containing the most useful Linux commands to elevate your skills!

The more possibilities you have on the output, the less often the issue will happen.
For example, SHA-1 use 40 characters instead of 32 for MD5, so there is a bit less duplicates with this algorithm.

How Likely Is Hash Collision?

As a whole, hash collisions are very rare. Even for broken algorithms like MD5, the probability to have two passwords producing the same hash is terribly low (1.47*10-29 according to Avira).

Hide your IP address and location with a free VPN:
Try it for free now, with advanced security features.
2900+ servers in 65 countries. It's free. Forever.

This eventuality might be a concern when you are hashing really long input (like files or texts), but for passwords, it’s not a major concern for developers. The probability goes way lower for more modern algorithms, so it’s not something developers would consider.

They will generally spend more time on additional security features, like two-factor authentication, new IP address detection, etc. This will enhance the security of their system more than worrying about hash collisions.

In a Nutshell

In short, here are the main takeaways of this article :

  • Two passwords can be different and have the same hash.
  • A collision is the name of this event when using hashing algorithms.
  • The probability of a collision is terribly low for all algorithms.
  • Using a strong hashing algorithm reduce the likelihood of a collision.
  • Collisions are not a major concern for developers when dealing with passwords storage.

Related articles

Whenever you’re ready for more security, here are things you should think about:

- Break free from Gmail: You should be able to choose what happens to your data. With Proton, only you can read your emails. Get private email.

- Protect yourself online: Use a high-speed Swiss VPN that safeguards your privacy. Open-source, no activity logs. Get Proton VPN risk-free.

- Master Linux commands: A sure method to learn (and remember) Linux commands. Useful ones only, one at a time, with clear explanations. Download the e-book.

Hi, my name is Patrick, I'm a web developer and network administrator. I have always been interested in security, and I created this website to share my findings with you.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *