While passwords remain the first line of defense for protecting user accounts against unauthorized access, the methods for creating strong passwords and protecting them are continually evolving. For example, NIST password recommendations are now prioritizing password length over complexity. Hashing, however, remains a non-negotiable. Even long secure passphrases should be hashed to prevent them from being completely exposed in the event of a data breach – and never stored in plaintext.
This article examines how today’s cyber attackers attempt to crack hashed passwords, explores common hashing algorithms and their limitations, and discusses measures you can take to protect your hashed passwords, regardless of which algorithm you are using.
Modern password cracking techniques
Malicious actors have an array of tools and methods at their disposal for cracking hashed passwords. Some of the more widely used methods include brute force attacks, password dictionary attacks, hybrid attacks, and mask attacks.
Brute force attacks
A brute force attack involves excessive, forceful trial and error attempts to gain account access. Malicious actors employ specialized tools to systematically test password variations until a working combination is discovered. Although unsophisticated, brute force attacks are highly effective using password cracking software and high-powered computing hardware like graphics processing units (GPUs).
Password dictionary attack
As its name implies, a password dictionary attack systematically draws words from a dictionary to brute force password variations until finding a working combination. The dictionary contents may contain every common word, specific word lists, and word combinations, as well as word derivatives and permutations with alphanumeric and non-alphanumeric characters (e.g., substituting an “a” with a “@”). Password dictionary attacks may also contain previously leaked passwords or key phrases exposed in data breaches.
Hybrid attacks
A hybrid password attack combines brute force with dictionary-based methods to achieve better attack agility and efficacy. For example, a malicious actor may use a dictionary word list of commonly used credentials with techniques that integrate numerical and non-alphanumeric character combinations.
Mask attacks
In some cases, malicious actors may know of specific password patterns or parameters/requirements. This knowledge allows them to use mask attacks to reduce the number of iterations and attempts in their cracking efforts. Mask attacks use brute force to check password attempts that match a specific pattern (e.g., eight characters, start with a capital letter, and end with a number or special character).
How hashing algorithms protect against cracking methods
Hashing algorithms are a mainstay across a myriad of security applications, from file integrity monitoring to digital signatures and password storage. And while it’s not a foolproof security method, hashing is vastly better than storing passwords in plaintext. With hashed passwords, you can ensure that even if cyber attackers gain access to password databases, they cannot easily read or exploit them.
By design, hashing significantly hampers an attacker’s ability to crack passwords, acting as a critical deterrent by making password cracking so time and resource intensive that attackers are likely to shift their focus to easier targets.
Can hackers crack hashing algorithms?
Because hashing algorithms are one-way functions, the only method to compromise hashed passwords is through brute force techniques. Cyber attackers employ special hardware like GPUs and cracking software (e.g., Hashcat, L0phtcrack, John The Ripper) to execute brute force attacks at scale—typically millions or billions or combinations at a time.
Even with these sophisticated purpose-built cracking tools, password cracking times can vary dramatically depending on the specific hashing algorithm used and password length/character combination. For example, long, complex passwords can take thousands of years to crack while short, simple passwords can be cracked immediately.
The following cracking benchmarks were all found by Specops on researchers on a Nvidia RTX 4090 GPU and used Hashcat software.
MD5
Once considered an industrial strength hashing algorithm, MD5 is now considered cryptographically deficient due to its various security vulnerabilities; that said, it remains one of the most widely used hashing algorithms. For example, the popular CMS WordPress still uses MD5 by default; this accounts for approximately 43.7% of CMS-powered websites.
With readily available GPUs and cracking software, attackers can instantly crack numeric passwords of 13 characters or fewer secured by MD5’s 128-bit hash; on the other hand, an 11-character password consisting of numbers, uppercase/lowercase characters, and symbols would take 26.5 thousand years.
SHA256
The SHA256 hashing algorithm belongs to the Secure Hash Algorithm 2 (SHA-2) group of hashing functions designed by the National Security Agency (NSA) and released by the National Institute of Standards and Technology (NIST). As an update to the flawed SHA-1 algorithm, SHA256 is considered a robust and highly secure algorithm suitable for today’s security applications.
When used with long, complex passwords, SHA256 is nearly impenetrable using brute force methods— an 11 character SHA256 hashed password using numbers, upper/lowercase characters, and symbols takes 2052 years to crack using GPUs and cracking software. However, attackers can instantly crack nine character SHA256-hashed passwords consisting of only numeric or lowercase characters.
Bcrypt
Security experts consider both SHA256 and bcrypt as sufficiently strong hashing algorithms for modern security applications. However, unlike SHA256, bcrypt bolsters its hashing mechanism by employing salting—by adding a random piece of data to each password hash to ensure uniqueness, bcrypt makes passwords highly resilient against dictionary or brute force attempts. Additionally, bcrypt employs a cost factor that determines the number of iterations to run the algorithm.
This combination of salt and cost factoring makes bcrypt extremely resistant to dictionary and brute force attacks. A cyber attacker using GPUs and cracking software would take 27,154 years to crack an eight-character password consisting of numbers, uppercase/lowercase letters, and symbols hashed by bcrypt. However, numeric or lowercase-only bcrypt passwords under eight characters are trivial to crack, taking between a matter of hours to a few seconds to compromise.
How do hackers get around hashing algorithms?
Regardless of the hashing algorithm, the common vulnerability is short and simple passwords. Long, complex passwords that incorporate numbers, uppercase and lowercase letters, and symbols are the ideal formula for password strength and resilience. However, password reuse remains a significant issue; just one shared password, no matter how strong, stored in plaintext on a poorly secured website or service, can give cyber attackers access to sensitive accounts.
Consequently, cyber attackers are more likely to obtain breached credentials and exposed password lists from the dark web rather than attempting to crack long, complex passwords secured with modern hashing algorithms. Cracking a long password hashed with bcrypt is virtually impossible, even with purpose-built hardware and software. But using a known compromised password is instant and effective.
To protect your organization against breached passwords, Specops Password Policy continuously scans your Active Directory against a growing database of over 4 billion unique compromised passwords. Get in touch for a free trial.
https://thehackernews.com/2025/01/how-long-does-it-take-hackers-to-crack.html
