With all the noise about password security going around, there is bound to be some accidental leakage of the phrase “password hashes”. This post is about what they are, and how password cracking works with password hashes.
What Is A Password Hash?
Whenever you set a password in almost any computer system – including all those web sites, the password is “hashed” so nobody can see it. This involves applying a function to the password to generate a string that is supposedly unique (i.e. no other string can generate that second string); this is known as “hashing” for reasons to do with earlier uses for such functions.
This hash is stored and when you try to login, the password you login with is hashed and compared with the stored hash. If the two hashes are identical, then it is assumed that you have provided the correct password.
A hash will look something like :-
Different hashes will look slightly different, but to anyone other than someone who spends far too much time staring at password hashes, the differences are not especially noticeable And irrelevant. Password hashes :-
- Are the same length for every password – a one character password generates a hash of the same length as a 26-character password.
- Tell you nothing about the password itself – there is no information contained within the hash that can be used to determine any facts about the original password.
- Cannot be decrypted. Hashing is a one-way function that eliminates the original password.
So how can attacker find out what your password is ?
How Passwords Can Be Cracked
If an attacker obtains access to a collection of password hashes – perhaps by breaking into a website and sending the relevant file elsewhere – they can attempt to “crack” the passwords.
If the attacker knows what the hash function is, they can generate a sequence of possible passwords and generate the password hash for each one. If they find a match between one of their generated hashes, and the “real” hash, they will know what the original password is.
Generating every single possible password hash sounds like a tough job, and whilst it is a tough job, computers have become sufficiently fast that it is perfectly possible to generate password hashes for every single possible password between 6-9 characters in length depending on the precise hashing algorithm used and what hardware is available to run the cracking job. Using graphics cards to accelerate password hash generation is quite common, and accelerates the work very significantly.
There is another method which involves working through a list of possible passwords based on words generating password hashes. With the right candidate word list, and the right set of rules for “morphing” each word (such as “word” -> “words”, “word” -> “w0rd”, “word” -> “drow”, etc.), it is possible to crack most passwords in a relatively short amount of time. People often assume that a password with a small amount of obfuscation (changing “l” to “1″, “o” to “0″, adding numbers to the end of the word, etc.) will make cracking their password far harder. That is not really so – people who crack passwords know about all the word mangling that people might choose to use (and a great deal more), and go out of their way to include rules to apply modifications to normal words.
“Salting” the Hash
As described so far, it would be possible to pre-compute all the possible password hashes and simply do a comparison against the pre-computed tables to quickly find passwords. In fact it is possible to download “rainbow tables” containing these pre-computed hashes and use those to break passwords stored in very weak password hashes. Of course this problem has been known about for decades, and the solution that was found for the Unix password file of the 1970s has been widely implemented to make rainbow tables less feasible.
The solution is known as “salt” and consists of adding additional information to the original password, so an attacker (for a 12-bit salt) has to generate 4096 different password hashes for each candidate password. Of course modern salts are much longer so the number of hashes to generate for each candidate password is far higher.
Any decent authentication system will “salt the hash” with the intention of making it harder to perform password cracking, but password cracking still works.