Our password hashing has no clothes

Many of us rely on the use of salt in the belief it will make our passwords “secure” when hashed with a variant of the SHA algorithm. Unfortunately, processing power has progress to the point where even salted hashes are now near useless, particularly when using a GPU in an attempt to crack them. This article shows how salted SHA1 hashes generated by the ASP.NET membership provider can easily be broken using hashcat and a fast graphics card. It graphically demonstrates that using any SHA algorithm – even with a salt – is now next to useless.