0

Let us imagine a situation where a company stores its user passwords (let's ignore salts, etc for now) using some hash (say sha256) and the company gets breached. All of the username and password details are now public. The passwords are hashed, thanks to the hashing algorithm.

Now someone with ill intent gets their hands on that credential database. Looking at the hashes, they identify the hash. Now what they do is check the minimum required password length (from the user registration page) and create a new word list of all the possible passwords in that range in their hashed format. That is, they now have an equivalent wordlist but in an already hashed format.

  1. Is it totally pointless to create such a hashed wordlist?
  2. Would it help saving time in cracking passwords in the long run?
schroeder
  • 123,438
  • 55
  • 284
  • 319
xplo1t
  • 1
  • 1

1 Answers1

0

There are a few pointy to consider here.

  1. When storing passwords yourself you should take a look at this cheat sheet to do it properly: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

  2. It is considered bad practice to just hash a password with SHA-256. SHA-256 is designed to be fast, that is not a property that is desired for a password hashing function. See the cheat sheet above for recommendations.

  3. When storing the hash of a password you usually want to add a salt to. This is what prevents the attack that you are suggesting, so I don't see why you want to "ignore shings like salt etc.". The salt for two different passwords is most likely different, therefore the attacker can only crack the passwords one by one as he needs to append the salt to the beginning of the password.

So yes, if the passwords were not salted this could be done, at least in theory. It would be considered a "brute-force-attack" and you would need a lot of computation time to get to the longer passwords, 8 character passwords should be cracked in no time though.

Gamer2015
  • 707
  • 4
  • 12
  • 1
    You have not understood the question ... It's not about hashing the passwords, it's about cracking the passwords. That makes everything but the last paragraph on-topic. – schroeder Jun 11 '21 at 13:43
  • @schroeder Thank you for the feedback, it was my first attempt at giving back to the community for all the input I have gotten so far. I hope I learn from your comment and I'll try to improve the quality of my answers as time goes on – Gamer2015 Jun 11 '21 at 13:54
  • Yes, the last paragraph is the only one to _directly_ answer the OP's question, but explaining the context of why that question is flawed seems appropriate – TripeHound Jun 11 '21 at 14:00