two passwords with the same hash: is it possible ?

Can Two Passwords Have The Same Hash? (Why?)

As you may already know, most passwords are stored hashed by the developers of your favorites websites. It means they don’t keep the password you chose in a plain text form, they convert it into another value, a representation of this password. But in the process, can two passwords have the same hash representation? That’s what we’ll see in this article.

Two passwords can produce the same hash, it’s named a “hash collision”. In this case, both passwords can be used to log in to the corresponding account. It’s extremely rare for most hashing algorithms, but it may happen.

In the following of this article, we’ll take a step back and see why these cases can happen.

Hide your IP address and location with a free VPN:
Try it for free now, companies are paying for you.
1500 servers in 120 countries. It's free. Forever. No email required.

Table of Contents

Can Two Passwords Share The Same Hash?

Hashing Algorithms Reminders

A hashing algorithm is a one-way cryptographic function, that convert any text input to a representation of it. There is no reverse function (to get the text back from the representation), that’s why it’s often used to store passwords in a database.

Stay tuned with the latest security news!
You'll enjoy receiving the recent articles directly in your inbox every week!

Many algorithms have been created over the years, but basically, they all work the same way for the end-user (generally a developer). They convert a string to a fixed size representation of it.

For example, MD5 was a popular hashing algorithm, that convert something like “infosecscout” into a string like “0fa6a5d3d5b1372077300af64ab8565e“. You can use MD5 functions in your code, or MD5 online tools to try this.

Hashing Functions Examples

Let’s take an example, if you need something more visual to understand the issue here (or the non-issue).
Let’s say your password is “azerty123”, which is a terrible password, but it doesn’t matter for this example. In theory, no website or app will store your password as it is, they will generally “convert” it to a hash representation, using any hash function they think are safe enough to do this.

Here is what this representation looks like with popular algorithms:

Kali Linux: From Zero To Hero
How to master Kali Linux like a pro hacker
Even if you never used Linux before.

Learn more
  • MD5: 882baf28143fb700b388a87ef561a6e5
  • SHA-1: 3b004ac6d8a602681f5ee3587c924855679e21d9
  • SHA-256: f3029a66c61b61b41b428963a2fc134154a5383096c776f3b4064733c5463d90
  • Bcrypt: $2a$10$XyoOPNRz27wsM9innHTSP.d3.ldFy8hgxLDfb3GVGPu.XS5R6Sfoa

Each algorithm use different characters set and length to hash your password, but basically, they work the same way.

Why Two Passwords Can Have The Same Hash

Two passwords can have the same hash if there is a collision. For example, the MD5 algorithm take any string, from any length, and convert it into a 32 hexadecimal characters string. As the list of possibilities is way bigger on the input side than on the output, there is no way you will never get the same output twice for two different input strings.

Stay tuned with the latest security news!
You'll enjoy receiving the recent articles directly in your inbox every week!

The more possibilities you have on the output, the less often the issue will happen.
For example, SHA-1 use 40 characters instead of 32 for MD5, so there is a bit less duplicates with this algorithm.

How Likely Is Hash Collision?

As a whole, hash collisions are very rare. Even for broken algorithms like MD5, the probability to have two passwords producing the same hash is terribly low (1.47*10-29 according to Avira).

This eventuality might be a concern when you are hashing really long input (like files or texts), but for passwords, it’s not a major concern for developers. The probability goes way lower for more modern algorithms, so it’s not something developers would consider.

They will generally spend more time on additional security features, like two-factor authentication, new IP address detection, etc. This will enhance the security of their system more than worrying about hash collisions.

In a Nutshell

In short, here are the main takeaways of this article :

  • Two passwords can be different and have the same hash.
  • A collision is the name of this event when using hashing algorithms.
  • The probability of a collision is terribly low for all algorithms.
  • Using a strong hashing algorithm reduce the likelihood of a collision.
  • Collisions are not a major concern for developers when dealing with passwords storage.

Related articles

Hi, my name is Patrick, I'm a web developer and network administrator. I have always been interested in security, and I created this website to share my findings with you.

Similar Posts