Our password hashing has no clothes

added by troyhunt
6/26/2012 10:12:08 AM

8 Kicks, 370 Views

Many of us rely on the use of salt in the belief it will make our passwords “secure” when hashed with a variant of the SHA algorithm. Unfortunately, processing power has progress to the point where even salted hashes are now near useless, particularly when using a GPU in an attempt to crack them. This article shows how salted SHA1 hashes generated by the ASP.NET membership provider can easily be broken using hashcat and a fast graphics card. It graphically demonstrates that using any SHA algorithm – even with a salt – is now next to useless.


6/26/2012 10:13:15 AM
Password security is incredibly important, and a detail overlooked by many coders. This also demonstrates that even recommended settings, present in the Visual Studio templates, are not secure by default.

6/26/2012 2:27:01 PM
Awesome post, very thorough and usable.