eastbaycyber

Hashing: Definition, How It Works, and Where You’ll See It in Security

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

Hashing is the process of transforming input data (a “message”) into a fixed-length output value (a “hash” or “digest”) using a hash function. In security, hashing usually refers to cryptographic hash functions designed to be one-way and resistant to tampering.

How hashing works

A hash function takes arbitrary-length input—anything from a short password to a multi-gigabyte file—and deterministically produces a fixed-size digest (e.g., 256 bits for SHA-256). Deterministic means the same input always yields the same output.

What makes cryptographic hashing useful is not secrecy, but properties that make tampering and forgery hard:

  • Preimage resistance (one-way): Given a hash, it should be infeasible to recover the original input.
  • Second-preimage resistance: Given an input, it should be infeasible to find a different input with the same hash.
  • Collision resistance: It should be infeasible to find any two different inputs that produce the same hash.
  • Avalanche effect: Small changes in input should produce drastically different output.

Hashing vs. encryption (what’s the difference?)

  • Encryption is reversible with a key (decrypt to recover plaintext).
  • Hashing is intended to be irreversible (you verify by recomputing and comparing).

Password hashing isn’t “just hashing”

Storing passwords safely is a special case. General-purpose hashes like SHA-256 are designed to be fast, which is bad for password storage because attackers can try billions of guesses per second.

Secure password storage uses: - A salt (unique random value per password) to prevent rainbow-table reuse and to ensure identical passwords have different hashes. - A slow, memory-hard password hashing/KDF algorithm, such as Argon2id (preferred), bcrypt, scrypt, or PBKDF2 (legacy but still common).

Practical tip: if you’re also trying to reduce password reuse risk across your org, pairing strong password hashing on the backend with a vetted password manager can help users choose unique passwords. For teams, see our guide to the best password manager for small business: password manager for small business 2026. If you want an easy-to-deploy option, 1Password is a common choice for SMBs and IT teams (Try 1Password →).

Quick examples (CLI)

Compute a file hash to verify integrity

# Linux/macOS
sha256sum installer.iso
# or (macOS)
shasum -a 256 installer.iso

Windows PowerShell:

Get-FileHash .\installer.iso -Algorithm SHA256

Compare against a published SHA-256 value (make sure you trust the source of the published hash).

What a hash “looks like”

Hashes are often shown in hex (base16) or base64. Example output format (hex):

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

That digest represents an empty file with SHA-256; any real file will produce a different value.

HMAC (keyed hashing for authenticity)

A plain hash tells you whether data changed, not who changed it. If an attacker can modify the data, they can often also recompute the hash.

HMAC adds a secret key to produce a digest that attackers can’t forge without the key:

# Example: HMAC-SHA256 using OpenSSL
printf "message" | openssl dgst -sha256 -hmac "shared_secret"

Use cases include API request signing and integrity protection where both parties share a key.

Where you’ll encounter hashing in security

Hashing is everywhere in security operations and everyday IT. The key is knowing whether the hash is being used for integrity, identity, or secret verification.

1) File integrity checks (downloads, patching, software distribution)

Vendors and package managers commonly publish hashes so you can confirm what you downloaded matches what they released. You’ll also see hashes in:

  • Package manager metadata (repository checks)
  • Container image layers (content-addressable storage)
  • Infrastructure-as-code artifacts and build pipelines

Operational guidance: - Prefer SHA-256 or stronger for integrity. - If available, prefer signed artifacts (GPG signatures, code signing) over just a hash. A hash posted on a compromised website is not trustworthy.

2) Incident response and forensics (identifying artifacts)

Security tools frequently index files by hash: - EDR/AV detections and allow/deny lists - Threat intel feeds (known-bad file hashes) - Case notes (“the suspicious binary had SHA-256 …”)

Practical caveat: - Hashes are exact-match identifiers. Minor changes (packing, timestamp changes, recompiles) produce different hashes. That’s why defenders also use fuzzy hashing and behavioral detections.

If you’re triaging alerts, you’ll often pivot from a hash to an indicator of compromise field in logs and intel. Related: what is an ioc.

3) Password storage and authentication backends

You’ll encounter hashing in: - Application databases (password hash fields) - IAM systems, directory services, and SSO components - Breach response when evaluating credential exposure

What to check as an admin/security reviewer: - Are passwords stored with Argon2id/bcrypt/scrypt/PBKDF2 and a unique salt? - Are parameters current (iterations/cost/memory)? - Is there a legacy unsalted MD5/SHA-1 scheme anywhere? That’s a high-risk remediation item.

4) Logging, correlation, and data handling

Hashing is often used to: - Pseudonymize identifiers (e.g., hash an email address to reduce exposure in logs) - Deduplicate events (same input → same output) - Create stable identifiers in data pipelines

Important nuance: - Hashing is not anonymization. If the input space is small (emails, phone numbers), attackers can guess and hash candidates (“dictionary attack”) to recover originals—especially if unsalted. For privacy, consider keyed hashing (HMAC) or proper tokenization schemes.

5) Integrity in protocols and systems design

Hashes support: - Checksums and integrity fields in file formats and protocols - Merkle trees (used in Git, blockchains, transparency logs, and some storage systems) - Signed digests in certificates and software update frameworks

If you manage systems that “pin” artifacts (e.g., known-good container digest), you’re relying on hashing for immutability guarantees.

Common log patterns (what to look for)

In SIEM/EDR logs, hashes may appear in fields like:

sha256=...
md5=...
file.hash.sha256=...
process.hash.sha1=...
ImageHash=...

In Windows-centric telemetry (Sysmon/EDR), look for process/image hash fields tied to: - Process creation events - File creation/modification events - Module/DLL load events

If your tools still emit MD5 by default, consider enabling SHA-256 as a primary indicator field (MD5 is fine for non-adversarial deduplication, but weak for adversarial collision scenarios).

Quick do/don’t checklist

DO: Use SHA-256+ for integrity verification.
DO: Use Argon2id (or bcrypt/scrypt) with unique salts for passwords.
DO: Prefer signed releases over “hash-only” verification when possible.

DON’T: Use MD5/SHA-1 for security-sensitive integrity or signatures.
DON’T: Store passwords with fast hashes (SHA-256/MD5) even with a salt.
DON’T: Assume hashing anonymizes low-entropy identifiers without a secret key.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Related terms

Cryptographic hash function

A hash designed for security properties (e.g., SHA-256, SHA-3, BLAKE2/3).

Digest / checksum

The output of a hash function. “Checksum” is sometimes used for weaker integrity checks; “digest” often implies cryptographic.

Collision

Two different inputs produce the same hash. Cryptographic designs aim to make this infeasible.

Salt

Random per-password value mixed into password hashing to prevent reuse and precomputation attacks.

Pepper

A secret value (like an app-wide key) combined with passwords in addition to salts, typically stored outside the database (e.g., in an HSM or secrets manager).

Key derivation function (KDF)

Algorithms for deriving keys from passwords or secrets. For passwords, use slow KDFs like Argon2id/bcrypt/scrypt/PBKDF2.

HMAC

Keyed hashing for integrity + authenticity (prevents attackers from forging hashes without the key).

Rainbow table

Precomputed hash→password mappings used to crack unsalted/weakly hashed passwords.

Fuzzy hashing / similarity hashing

Methods (e.g., ssdeep) that help identify similar files even if not identical—useful in malware analysis, not a replacement for cryptographic hashing.

Content-addressable storage

Systems that store/retrieve objects by hash (common in Git and container layers).

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.