TL;DR
Yes, it’s theoretically possible for a weak password to generate the same hash as a strong one, but extremely unlikely with modern hashing algorithms and proper salting. This is called a collision. While rare, understanding this risk is important for cyber security.
What are Password Hashes?
When you create an account, your password isn’t stored directly. Instead, it’s transformed into a fixed-size string of characters called a hash. This protects your actual password if the database is hacked. A good hashing algorithm is one-way – meaning it’s very difficult to get the original password back from the hash.
Why Collisions Happen
Hashing algorithms take an input (your password) and produce an output (the hash). Because the number of possible passwords is far greater than the number of possible hashes, different passwords can sometimes result in the same hash. This is a collision.
Steps to Understand Password Hash Collisions
- Hashing Basics: Imagine a simple function that takes a word and assigns it a number. Different words could end up with the same number, even though they are different. That’s similar to how password hashing works.
- Hash Algorithm Strength: Older algorithms like MD5 and SHA-1 are known to be vulnerable to collisions. Modern algorithms like bcrypt, Argon2, and scrypt are designed to make collisions much harder to find.
- Salting: A salt is a random string added to your password before it’s hashed. This makes each hash unique even if two users have the same password. Without salting, identical passwords would always produce the same hash.
- Rainbow Tables: These are pre-computed tables of hashes for common passwords. Salting prevents attackers from using rainbow tables effectively because each salt creates a different table needed.
How to Check for Collisions (Example)
You can use online tools or programming languages to demonstrate hashing, but finding real collisions is difficult without significant computing power.
Python Example
import hashlib
pwd1 = "weakpassword"
pwd2 = "stronger_password"
salt = "randomsalt"
# Hash with salt
def hash_password(password, salt):
salted_password = salt + password
hashed_password = hashlib.sha256(salted_password.encode()).hexdigest()
return hashed_password
hash1 = hash_password(pwd1, salt)
hash2 = hash_password(pwd2, salt)
print("Hash of 'weakpassword':", hash1)
print("Hash of 'stronger_password':", hash2)
In this example, even with a salt, it’s unlikely the hashes will be identical. Changing the salt will always produce different results.
Mitigating Collision Risks
- Use Strong Hashing Algorithms: bcrypt, Argon2, and scrypt are recommended.
- Always Use Salts: Each password should have a unique, randomly generated salt.
- Key Stretching: Increase the computational cost of hashing (e.g., more rounds in bcrypt) to slow down attackers.
- Regularly Update Algorithms: Stay informed about new vulnerabilities and update your hashing methods as needed.
Conclusion
While password hash collisions are possible, they’re extremely unlikely with modern cyber security practices. Using strong algorithms, salts, and key stretching significantly reduces the risk of attackers exploiting this vulnerability.