{"id":519,"date":"2021-11-19T06:02:38","date_gmt":"2021-11-19T05:02:38","guid":{"rendered":"https:\/\/infosecscout.com\/?p=519"},"modified":"2023-11-22T13:00:12","modified_gmt":"2023-11-22T12:00:12","slug":"two-passwords-same-hash","status":"publish","type":"post","link":"https:\/\/infosecscout.com\/two-passwords-same-hash\/","title":{"rendered":"Can Two Passwords Have The Same Hash? (Why?)"},"content":{"rendered":"\n<p>As you may already know,<a href=\"https:\/\/infosecscout.com\/how-are-passwords-stored\/\" target=\"_blank\" rel=\"noreferrer noopener\"> most passwords are stored hashed by the developers<\/a> of your favorites websites. It means they don&#8217;t keep the password you chose in a plain text form, they convert it into another value, a representation of this password. But in the process, can two passwords have the same hash representation? That&#8217;s what we&#8217;ll see in this article.<\/p>\n\n\n\n<p><strong>Two passwords can produce the same hash, it&#8217;s named a &#8220;hash collision&#8221;. In this case, both passwords can be used to log in to the corresponding account. It&#8217;s extremely rare for most hashing algorithms, but it may happen.<\/strong><\/p>\n\n\n\n<p>In the following of this article, we&#8217;ll take a step back and see why these cases can happen.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/infosecscout.com\/two-passwords-same-hash\/#Can_Two_Passwords_Share_The_Same_Hash\" title=\"Can Two Passwords Share The Same Hash?\">Can Two Passwords Share The Same Hash?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/infosecscout.com\/two-passwords-same-hash\/#Hashing_Algorithms_Reminders\" title=\"Hashing Algorithms Reminders\">Hashing Algorithms Reminders<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/infosecscout.com\/two-passwords-same-hash\/#Hashing_Functions_Examples\" title=\"Hashing Functions Examples\">Hashing Functions Examples<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/infosecscout.com\/two-passwords-same-hash\/#Why_Two_Passwords_Can_Have_The_Same_Hash\" title=\"Why Two Passwords Can Have The Same Hash\">Why Two Passwords Can Have The Same Hash<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/infosecscout.com\/two-passwords-same-hash\/#How_Likely_Is_Hash_Collision\" title=\"How Likely Is Hash Collision?\">How Likely Is Hash Collision?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/infosecscout.com\/two-passwords-same-hash\/#In_a_Nutshell\" title=\"In a Nutshell\">In a Nutshell<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/infosecscout.com\/two-passwords-same-hash\/#Related_articles\" title=\"Related articles\">Related articles<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Can_Two_Passwords_Share_The_Same_Hash\"><\/span>Can Two Passwords Share The Same Hash?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Hashing_Algorithms_Reminders\"><\/span>Hashing Algorithms Reminders<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>A hashing algorithm is a one-way cryptographic function, that convert any text input to a representation of it. There is no reverse function (to get the text back from the representation),  that&#8217;s why it&#8217;s often used to store passwords in a database.<\/p>\n\n\n\n<p>Many algorithms have been created over the years, but basically, they all work the same way for the end-user (generally a developer). They convert a string to a fixed size representation of it.<\/p>\n\n\n\n<p>For example, MD5 was a popular hashing algorithm, that convert something like &#8220;<em>infosecscout<\/em>&#8221; into a string like &#8220;<em>0fa6a5d3d5b1372077300af64ab8565e<\/em>&#8220;. You can use <a rel=\"noreferrer noopener\" href=\"https:\/\/infosecscout.com\/md5-in-javascript\/\" data-type=\"post\" data-id=\"119\" target=\"_blank\">MD5 functions in your code<\/a>, or <a href=\"https:\/\/www.md5online.org\/md5-encrypt.html\" target=\"_blank\" rel=\"noreferrer noopener\">MD5 online tools<\/a> to try this.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Hashing_Functions_Examples\"><\/span>Hashing Functions Examples<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Let&#8217;s take an example, if you need something more visual to understand the issue here (or the non-issue).<br>Let&#8217;s say your password is &#8220;azerty123&#8221;, which is a terrible password, but it doesn&#8217;t matter for this example. In theory, no website or app will store your password as it is, they will generally &#8220;convert&#8221; it to a hash representation, using any hash function they think are safe enough to do this.<\/p>\n\n\n\n<p>Here is what this representation looks like with popular algorithms:<\/p>\n\n\n\n<ul><li><strong>MD5<\/strong>: 882baf28143fb700b388a87ef561a6e5<\/li><li><strong>SHA-1<\/strong>: 3b004ac6d8a602681f5ee3587c924855679e21d9<\/li><li><strong>SHA-256<\/strong>: f3029a66c61b61b41b428963a2fc134154a5383096c776f3b4064733c5463d90<\/li><li><strong>Bcrypt<\/strong>: $2a$10$XyoOPNRz27wsM9innHTSP.d3.ldFy8hgxLDfb3GVGPu.XS5R6Sfoa<\/li><\/ul>\n\n\n\n<p>Each algorithm use different characters set and length to hash your password, but basically, they work the same way.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Why_Two_Passwords_Can_Have_The_Same_Hash\"><\/span>Why Two Passwords Can Have The Same Hash<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>Two passwords can have the same hash if there is a collision. For example, the MD5 algorithm take any string, from any length, and convert it into a 32 hexadecimal characters string. As the list of possibilities is way bigger on the input side than on the output, there is no way you will never get the same output twice for two different input strings.<\/strong><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"450\" src=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/11\/email-password.jpg\" alt=\"\" class=\"wp-image-525\" srcset=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/11\/email-password.jpg 800w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/11\/email-password-300x169.jpg 300w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/11\/email-password-768x432.jpg 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure><\/div>\n\n\n\n<p>The more possibilities you have on the output, the less often the issue will happen. <br>For example, SHA-1 use 40 characters instead of 32 for MD5, so there is a bit less duplicates with this algorithm. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_Likely_Is_Hash_Collision\"><\/span>How Likely Is Hash Collision?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>As a whole, hash collisions are very rare. Even for broken algorithms like MD5, the probability to have two passwords producing the same hash is terribly low (1.47*10<sup>-29<\/sup> according to <a href=\"https:\/\/www.avira.com\/en\/blog\/md5-the-broken-algorithm\" target=\"_blank\" rel=\"noreferrer noopener\">Avira<\/a>).<\/strong><\/p>\n\n\n\n<p>This eventuality might be a concern when you are hashing really long input (like files or texts), but for passwords, it&#8217;s not a major concern for developers. The probability goes way lower for more modern algorithms, so it&#8217;s not something developers would consider.<\/p>\n\n\n\n<p>They will generally spend more time on additional security features, like two-factor authentication, new IP address detection, etc. This will enhance the security of their system more than worrying about hash collisions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"In_a_Nutshell\"><\/span>In a Nutshell<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>In short, here are the main takeaways of this article :<\/p>\n\n\n\n<ul><li>Two passwords can be different and have the same hash.<\/li><li>A collision is the name of this event when using hashing algorithms.<\/li><li>The probability of a collision is terribly low for all algorithms.<\/li><li>Using a strong hashing algorithm reduce the likelihood of a collision.<\/li><li>Collisions are not a major concern for developers when dealing with passwords storage.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Related_articles\"><\/span>Related articles<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul><li><a href=\"https:\/\/infosecscout.com\/two-files-with-same-md5-hash\/\" data-type=\"post\" data-id=\"402\">Can 2 Files Have the Same MD5 Hash? (and why)<\/a><\/li><li><a href=\"https:\/\/infosecscout.com\/md5-vs-sha256\/\" data-type=\"post\" data-id=\"365\">MD5 vs SHA256: Which is Better? (Speed, Safety, \u2026)<\/a><\/li><li><a href=\"https:\/\/infosecscout.com\/why-md5-is-not-safe\/\" data-type=\"post\" data-id=\"53\">3 Reasons why MD5 is not Secure<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>As you may already know, most passwords are stored hashed by the developers of your favorites websites. It means they don&#8217;t keep the password you chose in a plain text form, they convert it into another value, a representation of this password. But in the process, can two passwords have the same hash representation? That&#8217;s&#8230;<\/p>\n","protected":false},"author":1,"featured_media":527,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[14],"tags":[],"taxonomy_info":{"category":[{"value":14,"label":"Security"}]},"featured_image_src_large":["https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/11\/two-passwords-same-hash-1024x683.jpg",1024,683,true],"author_info":{"display_name":"Patrick Fromaget","author_link":"https:\/\/infosecscout.com\/about\/"},"comment_info":0,"category_info":[{"term_id":14,"name":"Security","slug":"security","term_group":0,"term_taxonomy_id":14,"taxonomy":"category","description":"Check out our easy-to-follow tips and facts in Security Information. Learn how passwords work and more, all explained in a way that's easy to understand.","parent":0,"count":21,"filter":"raw","cat_ID":14,"category_count":21,"category_description":"Check out our easy-to-follow tips and facts in Security Information. Learn how passwords work and more, all explained in a way that's easy to understand.","cat_name":"Security","category_nicename":"security","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/519"}],"collection":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/comments?post=519"}],"version-history":[{"count":6,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/519\/revisions"}],"predecessor-version":[{"id":526,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/519\/revisions\/526"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media\/527"}],"wp:attachment":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media?parent=519"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/categories?post=519"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/tags?post=519"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}