Tech Solvency / Passwords / "Dehashing", "Reversing", and "Decrypting"

Everyone really needs to stop using "dehashing", "reversing", or "decrypting" with password hashes.

These terms run completely counter to the fundamental concept of hashing as a one-way function.

Using these terms isn't just inaccurate. It can cause the uninitiated to carry this misconception forward for years, making deep errors in their thinking and work.

Basically, these terms are the password-cracking equivalent of showing up on a baking forum and saying,

"I bought this cake. How can I turn it back into eggs and flour and milk?"

Or as Julien Piatek brilliantly illustrated it in Hash functions for newbies:

Diagram showing that you can turn fruit into a smoothie, but you can't turn a smoothie back into the original fruit
Image credit: Julien Piatek, Hash functions for newbies

You can't "deblend" your smoothie. You can't directly turn the smoothie back into the fruit. What you can do is keep trying combinations and ratios of fruit until you get the same taste, color, and consistency. Then you know what the recipe was. In other words, you can black-box reverse-engineer it, but you can't disassemble it.


Listen. The words you're looking for are either crack (cracked / cracking) (when first discovered), or hash lookup (when fetched from a cache of cracked passwords).

Cracking is what's happening the first time a plaintext for a given hash is discovered (or if you're a cryptographer, you're finding a preimage). All you're doing is hashing candidate passwords to see if you got one that matches your hash. Over and over again. If you could "reverse" a hash, the underlying function would be a bad hash function, by definition.

And yes, once a hash is cracked, the results can be indexed or cached for fast retrieval. This provides the illusion that there's some kind of fast math going on. But that's not "reversing" the hashes. That's just a lookup. (I'm not a fan of 'reverse hash lookup' - while precise and technically true, it only confuses the noobs, because of that pesky word "reverse". When someone says "I'm trying to reverse this hash", they are definitely *not* saying "I'm trying to look up this hash".)

Seriously. You can't get there from here. It's a one-way street. There's no going back.

Bart Simpson at chalkboard writing: Hashes are not 'dehashed', 'decrypted', or 'reversed'.

Every time you use the word "dehashed", God fakes a leak drop.


Now I know how cryptographers feel about "crypto = cryptocurrency".


Cross-connect links to this page:

Thanks to @bmenrigh and @hops_ch for impetus and insight.

Want to talk about more password stuff (or something else)? Ping me!