A hash is just a mathematical algorithm that generates a somewhat unique number from any input, and usually in such a way that the tiniest difference generates a completely different hash.

I can put a single letter in a hash, I can put the entire Bible in a hash, I can put the entire universe in a hash, the output is always the same amount of bytes.

For example, if I have a hash algorithm that generates a two letter hash, a-z, then the input “Lemmy” could give me “WK” while “Lemmx” (literally one bit difference in binary) could give me “AV”. If I put the Bible in there, I could get out “XX”, for example.

The same input always generates the same output, and another important tidbit: hashing is always one way, you can’t do it in reverse.

Also important, as you probably already noticed: the hash contains (usually, but not necessarily) much less information than the original input. This means that at some point, two different inputs can generate the same output, that’s called a collision.

If the entire world would use the same hash all the time, and users would all use the same password for every website, then all the hashes for all the websites would be the same.

Now, humans are humans, and most humans use a fairly limited set of passwords. Sole people try to be ingentilent by replacing “s” with “5”, thinking that computers won’t get that.

Then, somebody started compiling a list of all known passwords with all variations and put them in a table. Then they went over each password, and hashed it with a bunch of well known hashing algorithms. Those tables, called rainbow tables iirc, are super easy and fast lookup tables if you have a hash and want to see what password it could have been.

Now what can websites do to protect against this? They can “salt” the password by prefixing then with a random text string only known to the website. If I download the database of that website, all the hashes will now be different and I won’t be able to do the lookup anymore. Better even would be to also include the user id in there, making it even harder to decipher.

What can users do? Don’t use those “Kn0w13DgE” passwords, use a random string of characters. Use unique passwords for each site. Use a password manager which will do both for you so you won’t have to remember anything