LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How does hashing work as a pseudonymization technique, and why are plain hashes risky?

Hashing is a one-way function producing a fixed-size output; it's irreversible in theory but vulnerable to brute-force and rainbow-table attacks on predictable inputs.

A four-step strengthening chain — plain hash, salted hash, HMAC, tokenization — each adding a defense.

* From plain hash to tokenization: each step adds a defense (salt, secret key, vault). *

A hash (e.g. SHA-256) maps any input to a fixed-length digest and can't be mathematically inverted. That sounds perfect for pseudonymization — but the catch is low-entropy inputs. If the possible inputs are guessable (names, emails, phone numbers, national IDs), an attacker simply hashes every candidate and matches the digests. Rainbow tables are precomputed dictionaries that make this near-instant.

The fix: per-record random salt. Adding a unique salt before hashing means an attacker can't reuse a precomputed table — they'd have to brute-force each record separately. Salting defeats rainbow tables but not a determined brute-force against truly predictable values.

Tip: Hashing a phone number is not anonymization — there are only ~10^10 of them; an attacker hashes them all in seconds.

Go deeper:

From Quiz: PRIVACY / Data Anonymization — k-Anonymity, l-Diversity & Re-identification | Updated: Jul 05, 2026