How it got me Started:

I was going through the Passwords in Mysql and saw that all the passwords for users was in some cryptic text. Initially I thought that there is a function which Encoded the password before storing and decoded the password before comparing. Turned out that I was totally wrong.

How it works.

Hashing is a function where a sting is taken and a digest(40 Character String) is generated for that string. A hash for 2 identical strings is always the same. Also hashing is a one way process (ie. you can produce a hash from a string but you cannot produce a string from a hash). A hash of a string which is slightly different generates a completely new set of digest which is not at all related.

Example:
In mysql
SELECT sha1( ‘The quick brown fox jumps over the lazy dog’ );
Returns;
sha1(‘The quick brown fox jumps over the lazy dog’)
2fd4e1c67a2d28fced849ee1bb76e7391b93eb12

Just change d with c and you get a totally different string.

sha1(‘The quick brown fox jumps over the lazy cog’)
de9f2c7fd25e1b3afad3e85a0bd17d9b100db4b3

Application:

For Password hashing. The hash of the password is stored in the database and in the application we just check if the hash of the password matches the password field in the database.

Flip Side:

Password cannot retrieved from the database. Because we cannot generate the password from the Hash.

Fix:

The fix to this is to reset the password and e-mail the password to the user who could reset the password if he liked.

Advantages:

The password is hidden to the administrators. A password is only known to the user and even the administrator will not know the password.