Password Hacking – 3. Password Hash
Passwords are most often stored in their plaintext format or in their hashed value format in a file system or in a database. If your password was “password” and it was stored as just “password” this would be an example of your password stored in its plaintext form. So if you could extract the password list from your victim and the passwords were stored in their plaintext form, then you have no need to crack anything because you already know the passwords. Da tu du! But if you extracted the list of passwords or dumped the database of passwords, and they were stored in their hashed values, then it’s crackin’ time! But before we go any further, let’s look at the basics.
What is a password hash?
A password hash is the password after it has gone through a one-way mathematical process, or algorithm, producing a completely different string. So let’s say your password is “password” and you run it through the MD5 algorithm, one of the many cryptographic hash functions out there, your final outcome will be 5f4dcc3b5aa765d61d8327deb882cf99. There is now no possible way of changing that back to the word “password”. The only way to reproduce that key combination is to either know the word and run it through the same hash function, or by trying to crack it, which is essentially the same thing.
The Login Process
Before you even go to login to one of your many password/username protected websites, you must first create your login details. So what happens when you create your login details and hit submit? It’s pretty simple. Most websites run your password through a cryptographic hash function like the one mentioned above and then store it in a database. Here is an example of how a PHP script would hash your password before it is stores it in a database.
$Password = MD5($_POST[‘password’]);
In the above PHP line, the script takes the password you submitted via $_POST and runs it through the MD5() cryptographic hash function, which transforms the submitted password into its MD5 hash value. Then the hash is stored in the variable $Password, which is later stored in the database.
Now that you have your login details created, next time you go to login, the PHP script will take the password you submitted, run it through the hash function, and compare it to the hash stored in the database. If the two hashes match, it means that the password submitted is the same password stored in the user database, so the website will log you in. Here’s an example in pseudo-code.
If (md5($Submitted_Password) == $Stored_Password_Hash) Then
What is a password salt?
No, it’s not the type of salt that stings your eyes when you open them in the ocean because you thought you saw some sort of sea creature next to your legs and then find out it’s just a shell until you get your head out of the water and that “shell” starts chomping on your big toe causing you to scream like a three year old girl and splash around like a dying fish on the shore. True story. Password salts are completely different, even if they have the same affect on password crackers.
A password salt is a string that is added on to a user’s password before it is encrypted. This string could be anything, the user’s username, the exact time the user signed up, or something completely random.
The point of a password salt is to make a password more secure by making it much harder to crack. It does this by making the password longer, and by making each password hash different from every other, even if the password is the same.
For example, if the password was “123456”, the final hash would be MD5(“random-salt”+”123456), so even if someone else used that same password, their salt would be different, which would result in a different password hash. This way, if the attacker cracks a password, he wouldn’t be able to find every other user with the same password because their hashes would be different.
We’ll get more into salts once you learn more about password cracking.