As you may already know, most passwords are stored hashed by the developers of your favorites websites. It means they don’t keep the password you chose in a plain text form, they convert it into another value, a representation of this password. But in the process, can two passwords have the same hash representation? That’s what we’ll see in this article.
Two passwords can produce the same hash, it’s named a “hash collision”. In this case, both passwords can be used to log in to the corresponding account. It’s extremely rare for most hashing algorithms, but it may happen.
In the following of this article, we’ll take a step back and see why these cases can happen.
Can Two Passwords Share The Same Hash?
Hashing Algorithms Reminders
A hashing algorithm is a one-way cryptographic function, that convert any text input to a representation of it. There is no reverse function (to get the text back from the representation), that’s why it’s often used to store passwords in a database.
Many algorithms have been created over the years, but basically, they all work the same way for the end-user (generally a developer). They convert a string to a fixed size representation of it.
For example, MD5 was a popular hashing algorithm, that convert something like “infosecscout” into a string like “0fa6a5d3d5b1372077300af64ab8565e“. You can use MD5 functions in your code, or MD5 online tools to try this.
Hashing Functions Examples
Let’s take an example, if you need something more visual to understand the issue here (or the non-issue).
Let’s say your password is “azerty123”, which is a terrible password, but it doesn’t matter for this example. In theory, no website or app will store your password as it is, they will generally “convert” it to a hash representation, using any hash function they think are safe enough to do this.
Here is what this representation looks like with popular algorithms:
- MD5: 882baf28143fb700b388a87ef561a6e5
- SHA-1: 3b004ac6d8a602681f5ee3587c924855679e21d9
- SHA-256: f3029a66c61b61b41b428963a2fc134154a5383096c776f3b4064733c5463d90
- Bcrypt: $2a$10$XyoOPNRz27wsM9innHTSP.d3.ldFy8hgxLDfb3GVGPu.XS5R6Sfoa
Each algorithm use different characters set and length to hash your password, but basically, they work the same way.
Why Two Passwords Can Have The Same Hash
Two passwords can have the same hash if there is a collision. For example, the MD5 algorithm take any string, from any length, and convert it into a 32 hexadecimal characters string. As the list of possibilities is way bigger on the input side than on the output, there is no way you will never get the same output twice for two different input strings.
The more possibilities you have on the output, the less often the issue will happen.
For example, SHA-1 use 40 characters instead of 32 for MD5, so there is a bit less duplicates with this algorithm.
How Likely Is Hash Collision?
As a whole, hash collisions are very rare. Even for broken algorithms like MD5, the probability to have two passwords producing the same hash is terribly low (1.47*10-29 according to Avira).
This eventuality might be a concern when you are hashing really long input (like files or texts), but for passwords, it’s not a major concern for developers. The probability goes way lower for more modern algorithms, so it’s not something developers would consider.
They will generally spend more time on additional security features, like two-factor authentication, new IP address detection, etc. This will enhance the security of their system more than worrying about hash collisions.
In a Nutshell
In short, here are the main takeaways of this article :
- Two passwords can be different and have the same hash.
- A collision is the name of this event when using hashing algorithms.
- The probability of a collision is terribly low for all algorithms.
- Using a strong hashing algorithm reduce the likelihood of a collision.
- Collisions are not a major concern for developers when dealing with passwords storage.