Creating strong passwords? Securing Passwords? Cracking Passwords?

by Security Dude


Today’s learning stems from a discussions with Corey and Nimi about trying to understand and explain MD5, SHA-1 vs. salted hashed passwords. I found two articles that helped my solidify my easy explanation of basic crypto hashing. Troy Hunt’s blog post and GPU cracking were enough for me to get this blog post started.

Don’t use “homemade crypto”.

Every developer needs to store, use, handle or process “secrets”. I have audited several applications and in half of the application security audits I have found that developers did not properly consider crypto as a key requirement in their functional specification or design documents. It was trivial to dump and decrypt passwords found in the database. This leads me to discussions of database security, application security and SDL. I digress…

Cracking passwords is easy thanks to GPU and hashcat

I bought an AMD 7970 GPU to understand more about what goes into cracking hashes. Here are some hash type algorithms. I used hashcat, a program created to pair with the 7970 for GPU cracking. Hashcat and the 7970 can generate up to 4.7393 billion hashes per second.

SHA1(salt + “aaaaaa”)
SHA1(salt + “aaaaab”)
SHA1(salt + “aaaaac”)



OWASP is an organization that was created out of a demand for application security guidance for the Infosec industry. I have been part of OWASP since 2006. Here is their guidance on password storage.

Passwords are secrets that only the account owner should know. For the system that uses these passwords to authenticate its users, there is no reason to decrypt them under any circumstances. It is crucial that passwords are stored in a way that allows them to be verified but not reversed in any way, even by insiders.

Standard Hash Iteration Approaches:
bcrypt implementations
PBKDF2 implementations

Rule 1: Use a Modern Hash Algorithm

Rule 2: Use a Long Cryptographically Random Per-User Salt

Rule 3: Iterate the hash