If passwords are stored hashed, does that mean that theoretically there exists another password that could be used to log in?

Question

From what I understand, in most sites, passwords are stored as a hash; not in their original form. This means that if the database is hacked into, the attacker will see the (nearly) useless hashes instead of the actual passwords.

For the website to authenticate your login attempt, it hashes your attempt of a password, and checks if it matches the stored hash. If they match, it logs you in, otherwise, it denies it.

I've read on many sites though that no hash algorithm can produce 100% unique hashes; collisions will always happen.

Does that mean that, theoretically, there exists another password that will give the same hash given a hash-function, which means there is potentially more than 1 password that could be used to log in with (although the other password would probably be near-random for a complicated hash-function)?

Answer 1

There are in fact infinitely many passwords which produce the same hash. That is actually more or less the definition of what it means to be a hash function: reducing a larger (potentially infinite) input space into a smaller finite output space.

However, a "good" hash function will distribute the hash values among the input values in such a way that any similarity in the input does not translate into similarity in the output. For a cryptographic hash function, such as the ones used for password hashing, this requirement is even stronger.

What this means, basically, is that the passwords which have the same hash value tend to be very dissimilar. In particular, most tend to be very long, very unreadable, cryptic apparently random strings.