The best defense against unauthorized access is still provided by credentials, but they are also the second line of defense. For instance, NIST login recommendations are now emphasizing login length over complexity. Hashing, but, remains a non-negotiable. Yet long, safe passphrases should be hashed to prevent them from being entirely exposed in the event of a data breach and not stored in text.
This article examines how modern cybercriminals attempt to break hashed passwords, explores typical encoding systems and their constraints, and discusses measures you can take to protect your hashed passwords, regardless of the encoding engine you are using.
Modern password cracking techniques
Malicious actors have a variety of tools and techniques at their disposal for hashed password cracking. Some of the more widely used methods include brute force attacks, password dictionary attacks, hybrid attacks, and mask attacks.
Brute force attacks
Excessive, forceful trial and error attempts to gain account access are a part of a . Malicious actors use specialized tools to test password combinations repeatedly until a working combination is found. Despite being relatively simple, s are still effective when carried out with sophisticated computer hardware like graphics processing units ( GPUs ) and password cracking software.
Password dictionary attack
As its name suggests, a password dictionary attack uses word extraction techniques to forcefully alter password combinations until they arrive at a working combination. The dictionary contents may contain every common word, specific word lists, and word combinations, as well as word derivatives and permutations with alphanumeric and non-alphanumeric characters ( e. g., substituting an” a” with a” @” ). Additionally, passwords and keyphrases that have previously been leaked in data breaches might be included in password dictionary attacks.
Hybrid attacks
To achieve better attack agility and effectiveness, a combines brute force with dictionary-based techniques. A malicious actor may incorporate techniques that incorporate both numerical and non-alphanumeric character combinations using a dictionary word list of commonly used credentials, for instance.
Mask attacks
In some cases, malicious actors may know of specific password patterns or parameters/requirements. With this information, they can use mask attacks to lessen the number of iterations and attempts in their cracking attempts. Mask attacks use brute force to check password attempts that match a specific pattern ( e. g., eight characters, start with a capital letter, and end with a number or special character ).
How do hashing algorithms protect against hacking techniques?
Hashing algorithms are used in a wide range of security applications, from file integrity monitoring to password storage and digital signatures. Hashing is a far superior method for storing passwords in plaintext, despite its shortcomings as a secure method. With hashed passwords, you can be certain that even if cybercriminals gain access to password databases, they are unable to easily read or use them.
Hashing, by design, significantly reduces an attacker’s ability to crack passwords, acting as a crucial deterrent because it requires so much time and resources that it makes it difficult for them to concentrate on more difficult targets.
Can hackers crack hashing algorithms?
Because hashing algorithms are one-way functions, the only method to compromise hashed passwords is through brute force techniques. Cyber attackers employ special hardware like GPUs and cracking software ( e. g., Hashcat, L0phtcrack, John The Ripper ) to execute brute force attacks at scale—typically millions or billions or combinations at a time.
Even with these advanced, purpose-built cracking tools, the specific hashing algorithm used and the combination of password length and character length can affect the time it takes to crack a password can dramatically vary. For example, long, complex passwords can take thousands of years to crack while short, simple passwords can be cracked immediately.
used Hashcat software to find the following cracking benchmarks on researchers using a Nvidia RTX 4090 GPU.
MD5
Once considered an industrial strength hashing algorithm, MD5 is now considered cryptographically deficient due to its various security vulnerabilities, that said, it remains one of the most widely used hashing algorithms. For example, the popular CMS WordPress still uses MD5 by default, this accounts for approximately 43.7 % of CMS-powered websites.
With readily available GPUs and cracking software, attackers can instantly crack numeric passwords of 13 characters or fewer secured by MD5’s 128-bit hash, on the other hand, an 11-character password consisting of numbers, uppercase/lowercase characters, and symbols would take 26.5 thousand years.
SHA256
The National Security Agency ( NSA ) and the National Institute of Standards and Technology ( NIS ) have developed the Secure Hash Algorithm 2 ( SHA-2 ) group of hashing functions, which includes the . As an update to the flawed SHA-1 algorithm, SHA256 is considered a robust and highly secure algorithm suitable for today’s security applications.
When used with long, complex passwords, SHA256 is nearly impenetrable using brute force methods — an 11 character SHA256 hashed password using numbers, upper/lowercase characters, and symbols takes 2052 years to crack using GPUs and cracking software. However, attackers can instantly crack nine character SHA256-hashed passwords consisting of only numeric or lowercase characters.
Bcrypt
For modern security applications, security experts believe that both SHA256 and bcrypt are strong enough hashing algorithms. Unlike SHA256, bcrypt strengthens its hashing mechanism by using salting. By adding a random piece of data to each password hash to ensure that it is unique, bcrypt makes passwords extremely resilient to dictionary and brute force attempts. Additionally, bcrypt employs a cost factor that determines the number of iterations to run the algorithm.
Bcrypt is extremely resistant to dictionary and brute force attacks due to the combination of salt and cost factoring. A cyber attacker using GPUs and cracking software would take 27, 154 years to crack an eight-character password consisting of numbers, uppercase/lowercase letters, and symbols hashed by bcrypt. However, numeric or lowercase-only bcrypt passwords under eight characters are trivial to crack, taking between a matter of hours to a few seconds to compromise.
How do hackers get around hashing algorithms?
Regardless of the hashing algorithm, the common vulnerability is short and simple passwords. Long, complex passwords that incorporate numbers, uppercase and lowercase letters, and symbols are the ideal formula for password strength and resilience. However, password reuse remains a significant issue, just one shared password, no matter how strong, stored in plaintext on a poorly secured website or service, can give cyber attackers access to sensitive accounts.
In contrast to attempting to crack lengthy, complex passwords secured with modern hashing algorithms, cyber attackers are more likely to obtain breached credentials and exposed password lists from the dark web. Cracking a long password hashed with bcrypt is virtually impossible, even with purpose-built hardware and software. However, it is quick and effective to use a known compromised password.
routinely checks your Active Directory against a growing database of over 4 billion unique compromised passwords to protect your organization from password breaches. Contact us for a free trial.
Found this article interesting? One of our valued partners contributed to this article. To read more exclusive content we post, follow us on and Twitter.