The Night I Learned Password Security from a Stranger
A dream inspired story explaining cryptography, hashing, bcrypt, and salt, and how they protect passwords in modern computer systems.

Last night, I had been working on a login system all night before I fell asleep at my desk. Then I suddenly realized that I was in an old library with dusty books and bright computer screens. It was a quiet evening and the air felt like it was from another era. I saw an old man across the table who appeared to know a lot in computer science.
He began to explain something that felt both simple and powerful, it was called "cryptography." He called it, "The science of protecting information so that only the right people can access it. In the digital world, this is extremely crucial, especially when dealing with sensitive data like passwords. He explained that there are various cryptography methods, including encryption and hashing, and each comes with its own set of applications.
Locking, or encryption, as it's known," he explained, is a reversible process. Encodes data (plain text) into unreadable data (cipher text) with a key. Later, however, the original data can be recovered with a “decryption” algorithm, known as unlocking. This is the case with secure communication, where both sender and receiver must have access to the original communication. But passwords need a more advanced level of approach.
This is where "hashing" comes into the picture, he said. The hashing algorithm transforms data into a fixed size string that is not reversible. From the hash, the original input can't be retrieved from whatever you do! Therefore, hashing is a great way to store passwords. Systems store the hash (hashed password) rather than the actual password as plaintext. As the user logs in, the password entered is rehashed and compared to the stored one again.
However, the gentleman made it clear that hashing is not always safe. Attackers can use rainbow tables (precomputed tables) to guess passwords quickly. Two users with the same password will have the same hash. This means that the system and users will be vulnerable.
To solve this, he introduced the idea called "salt." A salt is a random number that is appended to a password prior to its hashing. With this approach, if two users have the same password, the hashes will also be different. Salt increases security as it makes it much more difficult to use a precomputed attack.
He said the concept of salting passwords was brought up by Robert Morris and Ken Thompson in their research on the security of the unix system. They figured that if they didn't have salt, the same passwords would get the same hashes and it would be easier to attack the system. The use of salt made sure that every password hash, even those of users with the same password, would be different.
In modern use, some hashing functions are used only for passwords. MD5 and SHA-1 were not created for password storage purposes. Their main drawback with passwords are they compute hashes in such a short amount of time, that attackers can attempt as many as billions of guesses per second, which makes them totally unsuitable for password hashing. Both SHA-256 and SHA-3 have been more secure and are still used in many security applications like digital signatures and data integrity checks, but they have the same problem as the others: they are too fast for password storage and should not be used to hash passwords directly. That's why the algorithms bcrypt, scrypt and Argon2 are the best choices for password hashing. They have salt and are designed to be slow and require lots of memory, which makes brute force attacks much more difficult, even with the most powerful or specialised machine.
On the other hand, there are trade-offs. Because it is impossible to retrieve the data by hashing, the passwords are only reset when forgotten. This, in fact, is a security feature, not a flaw, because it means that even the system itself doesn't know your password. Stronger algorithms like bcrypt and Argon2 require more computational power, which may increase system load. However, these features are just what makes the system more secure.
The dream was getting fainter and I began to ask myself how this gentleman knew so much about such a complicated subject. As everything was fading away, he said calmly to me, "I was involved in shaping these ideas." I knew that he had to be one of the pioneers, maybe Robert Morris or Ken Thompson himself.
I suddenly got up, still at my desk, and had my code editor open. This time I knew what to do. My login system wasn't only functional, it was secure.
Also, I was interested in going a bit deeper and learned that hashing has changed over the years. There were two types of hashing. Non-cryptographic hashing and Hash tables developed mainly for data organization purposes, whereas, Cryptographic hashing was introduced for security purposes and has a different history. It was one of the contributions of Robert Morris and Ken Thompson that is still used in modern systems, the use of salt in password hashing.