Friday October 2nd

Thursday October 1st

Our password hashing has no clothes

Many of us rely on the use of salt in the belief it will make our passwords “secure” when hashed with a variant of the SHA algorithm. Unfortunately, processing power has progress to the point where even salted hashes are now near useless, particularly when using a GPU in an attempt to crack them. This article shows how salted SHA1 hashes generated by the ASP.NET membership provider can easily be broken using hashcat and a fast graphics card. It graphically demonstrates that using any SHA algorithm – even with a salt – is now next to useless.


Password security is incredibly important, and a detail overlooked by many coders. This also demonstrates that even recommended settings, present in the Visual Studio templates, are not secure by default.

Awesome post, very thorough and usable.

Commenting on Stories is limited for now and will open up to those recommended by the community. Learn how
Loading DotNetKicks...
brought to you by the Kicks Network