First off, don't confuse encryption with hashing. Encryption is reversible; with the correct key, you can decrypt and get back to the original data. A cryptographic hash is designed to be irreversible; you can only go "forward" through the hash. If I give you the hash of a
string, you can't figure out what the original string was.
The basic idea of a system that stores hashed passwords for authentication is something like this:
the server has a list of username and hashed password pairs, (
user_i, h(password_i)) for all the users with accounts on the system. To authenticate, you must provide the login process with your username and password -- lets say
bob and
bobspasswd. The system then attempts to retrieve the entry for the user named
bob. If you don't have an account on the system, you'll get an error to that effect. If you do have an account, the system next computes
h(bobspasswd) and compares it to the stored copy of the hashed password. If they match, then you are authenticated and allowed to proceed.
Suppose you get a copy of the hashed password
h(ddspasswd) for another user
diane. Remember, h is a cryptographic hash function, so you'll never be able to figure out the thing you have is the hash of "ddpasswd". If you provide the login process with
h(ddspasswd) it will then compute
h(h(ddspasswd)) which does not match
h(ddspasswd).
There are certainly many security problems with the above simple system. For example, how can you login over a network securely? You can't.