Password hashing and salting

Hashing is the process of turning a plain-text password into a unique, fixed-length string of characters that cannot be reversed.

If you use the password BlueSky123, a hashing algorithm transforms it into something that looks like this: 7e8b61e20436a56e1b106f2e82f5b66d

How It Works

Unlike encryption, which is a two-way street (you can lock it and then unlock it with a key), hashing is a one-way function. Once a password is hashed, there is no “un-hash” button to get the original text back.

Here are the four key characteristics of a good cryptographic hash:

Deterministic: The same password will always produce the exact same hash.
Irreversible: You can’t look at the hash and calculate what the original password was.
Fixed Length: Whether your password is 4 characters or 40, the resulting hash is always the same length.
The Avalanche Effect: If you change just one letter (e.g., BlueSky124), the resulting hash will look completely different from the original.

Why Do We Use It?

Websites (and the applications you’ve been building) should never store your actual password in a database. If a hacker steals the database, they only see a list of useless hashes.

When you log in later, the system doesn’t “read” your password. Instead:

It takes the password you just typed.
It hashes it using the same algorithm.
It compares the new hash to the stored hash. If they match, you’re in!

A Note on “Salting”

To make things even more secure, developers often add a “Salt”—a random string of characters added to the password before hashing. This ensures that even if two people use the same password, their hashes will look different, making it much harder for hackers to use pre-computed tables (Rainbow Tables) to crack them.

PHP script to create hashed passwords

<!DOCTYPE html>

<html lang="en">

<head>

<meta charset="UTF-8">

<meta name="viewport" content="width=device-width, initial-scale=1.0">

<title>Generate Hash</title>

<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">

</head>

<body>

<div class="container mt-5">

<h1 class="mb-4">Generate Hash</h1>

<form method="post" action="">

<div class="form-group">

<label for="inputString">Input String</label>

<input type="text" class="form-control" id="inputString" name="inputString" required>

</div>

<button type="submit" class="btn btn-primary">Generate Hash</button>

</form>

<?php

if ($_SERVER["REQUEST_METHOD"] == "POST") {

$inputString = $_POST["inputString"];

$hash = password_hash($inputString, PASSWORD_DEFAULT);

echo "<div class='alert alert-success mt-4'>Generated Hash: <strong>$hash</strong></div>";

}

?>

</div>

<div class="container mt-5">

<h class="text-center">Generate Hash using sha1 </h>

<form method="post" action="">

<div class="form-group">

<label for="inputString">Input String</label>

<input type="text" class="form-control" id="inputString" name="inputString" required>

</div>

<button type="submit" class="btn btn-primary">Generate Hash</button>

</form>

<?php

if ($_SERVER["REQUEST_METHOD"] == "POST") {

$inputString = $_POST["inputString"];

$hash = sha1($inputString);

echo "<div class='alert alert-success mt-4'>Generated Hash: <strong>$hash</strong></div>";

}

?>

</body>

</html>

Determinism or deterministic logic

“Deterministic” refers to

a system, process, or algorithm in which identical inputs always produce identical outputs. There is no randomness, unpredictability, or chance involved in how the system moves from one state to the next.

In a deterministic model, the entire future behavior is completely determined by the initial conditions and the governing rules.

Key Aspects of Determinism

Predictability: Because the same rules are applied every time, the outcome can be predicted with 100% certainty if the initial state is known.
No Randomness: Unlike stochastic (probabilistic) systems, deterministic systems do not use random numbers or chance events.
Reproducibility: A deterministic process will produce the exact same result every time it is run with the same inputs, making it essential for debugging and testing.
Causality: Every event is seen as a direct result of preceding events and natural laws.

Examples in Different Contexts

Computer Science: A deterministic algorithm, such as a sorting algorithm, will always produce the same output for a given input.
Mathematics: A formula like $2 plus 2$ 2+2 is deterministic; it always equals 4.
Physics: Classical mechanics (like calculating the trajectory of a bullet) is deterministic, whereas quantum mechanics is often described as non-deterministic.
Philosophy: It is the belief that all events, including human actions, are pre-determined by past causes and that free will does not exist

Deterministic vs. Non-Deterministic

Feature	Deterministic System	Non-Deterministic (Stochastic) System
Output	Same input always equals same output	Same input can produce different outputs
Randomness	None	Involves chance or probability
Prediction	100% predictable	Predicted using probability
Path	Only one possible path	Multiple possible paths

Limitations

While deterministic models are reliable, they can be impractical for complex systems where measuring the exact initial conditions is impossible (e.g., weather forecasting, which is why it often relies on probability)

The Avalanche effect (avalanche = हिमस्खलन)

The avalanche effect is a desirable property in cryptographic algorithms (hash functions and block ciphers) where a tiny change in input—such as flipping a single bit—results in a significant, unpredictable, and drastic change in the output, typically changing roughly 50% of the output bits. It ensures high diffusion and prevents attackers from predicting input patterns based on output data, enhancing security against analysis.

Rainbow table attack

from Wikipedia article

A rainbow table is a precomputed table for caching the outputs of a cryptographic hash function, usually for cracking password hashes. Passwords are typically stored not in plain text form, but as hash values. If such a database of hashed passwords falls into the hands of attackers, they can use a precomputed rainbow table to recover the plaintext passwords. A common defense against this attack is to compute the hashes using a key derivation function that adds a “salt” to each password before hashing it, with different passwords receiving different salts, which are stored in plain text along with the hash.

Rainbow tables are a practical example of a space–time tradeoff: they use less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple table that stores the hash of every possible password.

Rainbow tables were invented by Philippe Oechslin^[1] as an application of an earlier, simpler algorithm by Martin Hellman.^[2]

Check this site for more info – https://www.beyondidentity.com/glossary/rainbow-table-attack