Exploring Secure Hash Functions: A Guide for Developers and Security Enthusiasts

Pranil ShresthaPranil Shrestha
4 min read

Introduction to Hash Functions

As a backend developer, you probably use hashes all the time—maybe without giving them much thought. They’re usually used in things like password storage, file integrity checks, or generating cache keys. But not all hash functions are the same, and picking the wrong one can create a serious security risks.

In this post, we’ll go beyond the usual suspects like MD5 and SHA-1 and take a practical, security-focused look at hash functions. We’ll break down what hashing really is, highlight common mistakes developers make, compare popular algorithms, and even crack some hashes to get inside the mind of an attacker.

What hash functions actually do?

At their core a hash function is are mathmatical algorithms that take input data and return a fixed sized string of characters, which is usually a hexadecimal value, you can think of it like a digial fingerprint — unique to the input and irreversible by nature.

Key properties:

  • Deterministic: Same input always produces the same output.

  • Irreversible: You cannot derive the original input from the hash.

  • Fixed Output: Input of any length results in a fixed-sized hash.

  • Collision-resistant: Two different input should not product same hash (though some weak hash functions fail here).

Caution: Hashing is NOT encryption. Encryption are reversible by nature using a key while hashing is not.

Typical Places Hashes Are Found In:

Hashing are used in many places, often with or without a developer realizing it:

  1. Password Storage

import bcrypt

pasword = b"mysecretpassword123"
hashed = bcrypt.hashpw(password, bcrypt.gensalt())
  1. Cache Keys

const key = crypto.createHash('sha256').update(JSON.stringify(query)).digest('hex');
  1. File Integrity Checks

sha256sum myfile.zip
  1. API Authentication (HMACs)

const crypto = require('crypto');
const hmac = crypto.createHmac('sha256', secret).update(data).digest('hex');
  1. Blockchain

Used for transaction verification, block headers and so on.

Common Mistakes While Using Hash Functions:

Many developers misuse or misunderstand the use of hash functions. Below are some real-word issues:

  • Encrypting a password with MD5 is not secure as they are prone to hash collisions and rainbow table attacks.

  • No salting in your hashes which makes it equal to rainbow table fodders.

  • Using fast hashes (like SHA-256) for passwords which makes brute forcing it easier.

  • Logging hashes as plain text, which makes them vulnerable.

What is hash collision?

→ A hash collision occurs when two different input to a hash functions produce the same hash value, or output.

→ Typically in weaker hash algorithms

→ In security it is a great risk beacause if an attacker can find two different inputs with same hash output, then it can potentially compromise a system that relies on this type of hash function.

What are rainbow table attacks?

→ Rainbow table attacks are similar to dictionary attacks, but they use a rainbow table instead of word list. Although similar to dictionary attack they need less computing power.

→ Rainbow table are pre-computed lists used to crack hashes

Hash Functions Comparison

HashSecure?Use CaseSpeedNotes
MD5NoLegacy onlyFastBroken, avoid at all costs
SHA-1NoGit internalsFastCollision-prone
SHA-256YesChecksums, HMACFasterIndustry standard
SHA-3YesModern secure appsNot too fast Not too SlowHighly secure
bcryptYesPasswordsSlowAdds salt, adaptive
scryptYesKey derivationSlowMemory-hard
Argon2BetterPasswords (best pick)SlowPHC winner, best practice
Blake3YesFile integrityFastestModern alternative to SHA-3

Think Like An Attacker: Cracking Weak Hashes

Let’s demonstrate how fast some hashes can be cracked or broken.

Example MD5:

echo -n "Password@123" | md5sum
d00f5d5217896fb7fd601412cb890830   # <- this is the output

Using crackstation to crack the hash:

Reasons: No Salt, Weak and Fast algorithm and Public rainbow tables available

Tools that attacker use: hashcat, john the ripper, crackstation and so on

Chooseing The Right Hash For The Job

TaskRecommended Hash
Password storageArgon2 > bcrypt > scrypt
File integritySHA-256 / Blake3
API request signingHMAC with SHA-256
Key derivationscrypt, Argon2, PBKDF2
Blockchain applicationsSHA-256 or SHA-3

Golden Rule: If its fast then its bad for passwords.

Bonus Tools And Playgrounds

Play with hash functions using these tools:

  • CyberChef: Web-based hash and encoding toolkit

  • CrackStation: Online hash cracker

  • bcrypt-cli, argon2-cli: Hash passwords in your terminal

  • Built-in libraries:

    • Node.js: crypto, bcryptjs, argon2

    • Python: hashlib, bcrypt, argon2-cffi

Final Thoughts

Hashing is a tool; When used well, it powers secure applciations. When misused, it opens door to attackers. If you want to develop a secure application you should try to understand the tools that you use.

0
Subscribe to my newsletter

Read articles from Pranil Shrestha directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Pranil Shrestha
Pranil Shrestha