I have an application whose source code is checked into a public repository. This source code includes configuration files, and in those configuration files are SHA-256 hashed passwords.
My understanding is that when it comes to hashed passwords, an end user doesn’t actually have to enter the password you used to generate the hash, but any password that generates the same hash value. I believe this is called a collision.
So can I display my hashed passwords in public with a reasonable assurance that someone can’t take that hash and then generate a password (or generate a collection) that can be used to get access to my application? Is that a guarantee that these hashing algorithms try to make?
There are no known practical attacks against SHA-2 in the general case. It’s generally considered better to keep hashed passwords secret, though, because there are rainbow tables, dictionary attacks, and other such things. If you took the proper precautions such as salting, round robin hashing, and having a nice long passphrase, it should be perfectly safe.
It’s still better to not do this, though. You never know what cryptographic attacks might be developed in the future.