Objective 1.4High Priority10 min read

Hashing and Salting

One-way cryptographic functions that convert data into fixed-length values (hashes) for integrity verification and password storage. Salting adds random data before hashing to prevent rainbow table attacks.

Understanding Hashing and Salting

Hashing is a one-way function that converts any input into a fixed-length output (hash value or digest). Unlike encryption, hashing cannot be reversed—you can't get the original data from the hash.

Key properties of good hash functions:One-way — Can't reverse to find original input • Deterministic — Same input always produces same hash • Fixed length — Output size constant regardless of input size • Avalanche effect — Small input change creates very different hash • Collision resistant — Hard to find two inputs with same hash

Salting adds random data to input before hashing, preventing attackers from using precomputed tables to crack hashed passwords.

Why This Matters for the Exam

Hashing is fundamental to security and appears throughout SY0-701. It's used for password storage, digital signatures, file integrity verification, and blockchain.

The exam tests understanding of hash properties, when to use hashing versus encryption, which algorithms are secure, and why salting matters for passwords.

Real-world, improper hashing leads to data breaches. Storing unsalted password hashes means attackers can use rainbow tables. Using MD5 or SHA-1 for security means collisions are possible.

Deep Dive

Hash Function Properties

One-Way Function

  • Given hash H, cannot find input M such that hash(M) = H
  • Essential for password storage—even if hashes are stolen, passwords aren't exposed.

Deterministic

  • hash("password") always equals the same value.
  • Enables verification: hash user input and compare to stored hash.

Fixed Length Output

  • SHA-256: Always 256 bits (64 hex characters)
  • SHA-512: Always 512 bits (128 hex characters)
  • MD5: Always 128 bits (32 hex characters)

Avalanche Effect

  • "password" → 5e884898da28047d9...
  • "Password" → 319f4d26e3c536b5...
  • One character change = completely different hash.

Collision Resistance

  • Hard to find M1 ≠ M2 where hash(M1) = hash(M2)
  • If collisions are easy, integrity verification fails.

Common Hash Algorithms

AlgorithmOutput SizeStatus
MD5128 bits❌ Broken - don't use
SHA-1160 bits⚠️ Deprecated - avoid
SHA-256256 bits✅ Secure - recommended
SHA-384384 bits✅ Secure
SHA-512512 bits✅ Secure
SHA-3Variable✅ Secure - newest

Hashing Use Cases

Password Storage

  • Store hash, not password
  • Compare hashes at login
  • Even admins don't know passwords

File Integrity

  • Calculate hash of file
  • Compare later to detect changes
  • Used in forensics and malware detection

Digital Signatures

  • Hash the document
  • Sign the hash (faster than signing whole document)
  • Verify hash matches after decryption

Blockchain

  • Each block contains hash of previous block
  • Creates tamper-evident chain

Salting

A salt is random data added to input before hashing.

Why Salt?

Without salt:

  • "password" always hashes to same value
  • Attackers precompute hashes (rainbow tables)
  • All users with same password have same hash
  • One cracked = all cracked

With salt:

  • "password" + "x7Kj9m" → unique hash
  • Each user has different salt
  • Same password, different hashes
  • Rainbow tables useless

Salt Implementation:

  • 1.Generate random salt for each user
  • 2.Concatenate: salt + password
  • 3.Hash the combination
  • 4.Store both salt and hash
  • 5.At login: retrieve salt, hash input with salt, compare

Salt Characteristics:

  • Unique per user
  • Randomly generated
  • Stored alongside hash
  • Doesn't need to be secret (just unique)

Rainbow Table Attacks

Precomputed tables mapping common passwords to hashes.

How they work:

  • 1.Attacker builds table: password → hash
  • 2.Steals hash database
  • 3.Looks up hash in table
  • 4.Finds original password

Why salting defeats them:

  • Each salted hash is unique
  • Would need different rainbow table per salt
  • Computationally infeasible

HMAC (Hash-based Message Authentication Code)

Combines hashing with a secret key for message authentication.

• Provides integrity AND authentication • Only someone with the key can create valid HMAC • Used in TLS, IPSec, API authentication

How CompTIA Tests This

Example Analysis

Scenario: A company's password database is stolen. The passwords were stored as unsalted SHA-256 hashes. What attack is now possible, and how could it have been prevented?

Attack: Rainbow Table • Attacker uses precomputed SHA-256 rainbow table • Common passwords cracked instantly • All users with same password exposed together

Prevention: Salting • Each password should have unique random salt • salt + password → hash • Store salt with hash • Rainbow tables become useless

Additional Prevention: Key Stretching • Use bcrypt, scrypt, or PBKDF2 • Apply hash function thousands of times • Makes brute-force extremely slow

Key insight: SHA-256 is secure, but ONLY with salting for passwords. The algorithm isn't broken—the implementation (no salt) is the problem.

Key Terms to Know

hashingsaltingSHA-256MD5password hashingintegrity verificationhash collisionrainbow tableone-way function

Common Mistakes to Avoid

Thinking hashing is encryption—hashing is ONE-WAY. You cannot "decrypt" a hash. Encryption is two-way with a key.
Using MD5 or SHA-1 for security—both have known collision vulnerabilities. Use SHA-256 or better.
Storing passwords without salt—unsalted hashes are vulnerable to rainbow tables. Always salt passwords.
Thinking salt needs to be secret—salt just needs to be unique. It can be stored alongside the hash.

Exam Tips

Hashing = One-way (can't reverse). Encryption = Two-way (can decrypt with key).
SHA-256 is the current standard. MD5 and SHA-1 are deprecated/broken.
Salting defeats rainbow tables by making each hash unique.
Hash functions produce FIXED length output regardless of input size.
Collisions (two inputs, same hash) break integrity—that's why MD5/SHA-1 are insecure.

Memory Trick

"Hash = One-way, Fixed, Unique"

  • One-way — Can't reverse
  • Fixed length — Always same output size
  • Unique — Different inputs = different hashes (ideally)
  • Algorithm Status Memory:
  • MD5 = Failed (broken)
  • SHA-1 = Suspect (deprecated)
  • SHA-256 = Secure (use this)

Salt Memory: SALT = Stops All Lookup Tables (Rainbow tables are lookup tables)

  • Hash vs. Encryption:
  • Hash = One-way door (can't go back)
  • Encryption = Locked door (key opens both ways)

Password Storage Rule: Never store passwords → Store salted hashes hash(salt + password) = secure storage

Test Your Knowledge

Q1.What is the PRIMARY purpose of adding a salt to passwords before hashing?

Q2.Which hash algorithm should be used for secure password hashing in new applications?

Q3.A security analyst needs to verify that a downloaded file hasn't been modified. What should they compare?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Digital SignaturesKey StretchingEncryption Algorithms and Key Length

Ready to test your knowledge?

Practice questions on hashing and salting and other Objective 1.4 concepts.

Start Practice
Obfuscation TechniquesDigital Signatures