Password Hash Cracker

/ Comments off
  1. Crack Password Hash Online
  2. Hashcat Ntlm

Let’s break down the command:. Hashcat.exe: This is the path to the program that we’re running. In this case, we’re running hashcat.exe, which is.m 0 tells hashcat that it’s going to be cracking MD5 passwords. Hashcat assigns each supported algorithm a number that.a 0 tells hashcat that. Code Issues Pull requests. Durvasav is a bruteforce password cracker (BfPC) written in C. Openssl bruteforce md5 sha1 sha256 hashes md4 sha512 sha384 sha224 password-cracker bruteforce-password-cracker wirdlist-generator sha0. Updated on Sep 27, 2018. Hash length should be 65 bytes - Can be used to obtain the correct case for the password. Check out our current table hashset! Due to abuse, the cracker has been closed to the public. We tried, we really did. Offsec students will find the priority code in their Control Panel. Submit Your Hash. Hashstack ™ is the ultimate password cracking software stack, designed and developed by the world's top password crackers for true password cracking professionals, and exclusively available on Terahash ® turn-key password cracking appliances. Optimized Workflow. Modeled after Team Hashcat's own workflows, Hashstack ™ works the way you work and is designed with team collaboration at the.

Passwords are the most commonly used method for user authentication. Passwords are so popular because the logic behind them makes sense to people and they’re relatively easy for developers to implement.

However, passwords can also introduce security vulnerabilities. Password crackers are designed to take credential data stolen in a data breach or other hack and extract passwords from it.

What is password cracking?

A well-designed password-based authentication system doesn’t store a user’s actual password. This would make it far too easy for a hacker or a malicious insider to gain access to all of the user accounts on the system.

Instead, authentication systems store a password hash, which is the result of sending the password — and a random value called a salt — through a hash function. Hash functions are designed to be one-way, meaning that it is very difficult to determine the input that produces a given output. Since hash functions are also deterministic (meaning that the same input produces the same output), comparing two password hashes (the stored one and the hash of the password provided by a user) is almost as good as comparing the real passwords.

Password cracking refers to the process of extracting passwords from the associated password hash. This can be accomplished in a few different ways:

  • Dictionary attack: Most people use weak and common passwords. Taking a list of words and adding a few permutations — like substituting $ for s — enables a password cracker to learn a lot of passwords very quickly.
  • Brute-force guessing attack: There are only so many potential passwords of a given length. While slow, a brute-force attack (trying all possible password combinations) guarantees that an attacker will crack the password eventually.
  • Hybrid attack: A hybrid attack mixes these two techniques. It starts by checking to see if a password can be cracked using a dictionary attack, then moves on to a brute-force attack if it is unsuccessful.

Most password-cracking or password finder tools enable a hacker to perform any of these types of attacks. This post describes some of the most commonly used password-cracking tools.

1. Hashcat

Hashcat is one of the most popular and widely used password crackers in existence. It is available on every operating system and supports over 300 different types of hashes.

Hashcat enables highly-parallelized password cracking with the ability to crack multiple different passwords on multiple different devices at the same time and the ability to support a distributed hash-cracking system via overlays. Cracking is optimized with integrated performance tuning and temperature monitoring.

Download Hashcat here.

2. John the Ripper

John the Ripper is a well-known free open-source password cracking tool for Linux, Unix and Mac OS X. A Windows version is also available.

John the Ripper offers password cracking for a variety of different password types. It goes beyond OS passwords to include common web apps (like WordPress), compressed archives, document files (Microsoft Office files, PDFs and so on), and more.

A pro version of the tool is also available, which offers better features and native packages for target operating systems. You can also download Openwall GNU/*/Linux that comes with John the Ripper.

Download John the Ripper here.

3. Brutus

Brutus is one of the most popular remote online password-cracking tools. It claims to be the fastest and most flexible password cracking tool. This tool is free and is only available for Windows systems. It was released back in October 2000.

Brutus supports a number of different authentication types, including:

  • HTTP (basic authentication)
  • HTTP (HTML Form/CGI)
  • POP3
  • FTP
  • SMB
  • Telnet
  • IMAP
  • NNTP
  • NetBus
  • Custom protocols

It is also capable of supporting multi-stage authentication protocols and can attack up to sixty different targets in parallel. It also offers the ability to pause, resume and import an attack.

Brutus has not been updated for several years. However, its support for a wide variety of authentication protocols and ability to add custom modules make it a popular tool for online password cracking attacks.

Get the Brutus password finder online here.

4. Wfuzz

Wfuzz is a web application password-cracking tool like Brutus that tries to crack passwords via a brute-force guessing attack. It can also be used to find hidden resources like directories, servlets and scripts. Wfuzz can also identify injection vulnerabilities within an application such as SQL injection, XSS injection and LDAP injection.

Key features of the Wfuzz password-cracking tool include:

  • Injection at multiple points in multiple directories
  • Output in colored HTML
  • Post, headers and authentication data brute-forcing
  • Proxy and SOCK support, multiple proxy support
  • Multi-threading
  • HTTP password brute-force via GET or POST requests
  • Time delay between requests
  • Cookie fuzzing

5. THC Hydra

THC Hydra is an online password-cracking tool that attempts to determine user credentials via brute-force password guessing attack. It is available for Windows, Linux, Free BSD, Solaris and OS X.

THC Hydra is extensible with the ability to easily install new modules. It also supports a number of network protocols, including Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Download THC Hydra here.

If you are a developer, you can also contribute to the tool’s development.

6. Medusa

Medusa is an online password-cracking tool similar to THC Hydra. It claims to be a speedy parallel, modular and login brute-forcing tool. It supports HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3, PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC, VmAuthd and Telnet.

Medusa is a command-line tool, so some level of command-line knowledge is necessary to use it. Password-cracking speed depends on network connectivity. On a local system, it can test 2,000 passwords per minute.

Medusa also supports parallelized attacks. In addition to a wordlist of passwords to try, it is also possible to define a list of usernames or email addresses to test during an attack.

Read more about this here.

Download Medusa here.

7. RainbowCrack

All password-cracking is subject to a time-memory tradeoff. If an attacker has precomputed a table of password/hash pairs and stored them as a “rainbow table,” then the password-cracking process is simplified to a table lookup. This threat is why passwords are now salted: adding a unique, random value to every password before hashing it means that the number of rainbow tables required is much larger.

RainbowCrack is a password cracking tool designed to work using rainbow tables. It is possible to generate custom rainbow tables or take advantage of preexisting ones downloaded from the internet. RainbowCrack offers free downloads of rainbow tables for the LANMAN, NTLM, MD5 and SHA1 password systems.

Download rainbow tables here.

A few paid rainbow tables are also available, which you can buy from here.

This tool is available for both Windows and Linux systems.

Download RainbowCrack here.

8. OphCrack

OphCrack is a free rainbow table-based password cracking tool for Windows. It is the most popular Windows password cracking tool but can also be used on Linux and Mac systems. It cracks LM and NTLM hashes. For cracking Windows XP, Vista and Windows 7, free rainbow tables are also available.

A live CD of OphCrack is also available to simplify the cracking. One can use the Live CD of OphCrack to crack Windows-based passwords. This tool is available for free.

Download OphCrack here.

Download free and premium rainbow tables for OphCrack here.

9. L0phtCrack

L0phtCrack is an alternative to OphCrack. It attempts to crack Windows passwords from hashes. For cracking passwords, it uses Windows workstations, network servers, primary domain controllers and Active Directory. It also uses dictionary and brute-force attacks for generating and guessing passwords. It was acquired by Symantec and discontinued in 2006. Later, L0pht developers again reacquired it and launched L0phtCrack in 2009.

L0phtCrack also comes with the ability to scan routine password security scans. One can set daily, weekly or monthly audits, and it will start scanning at the scheduled time.

Learn about L0phtCrack here.

Password Hash Cracker

10. Aircrack-ng

Aircrack-ng is a Wi-Fi password-cracking tool that can crack WEP or WPA/WPA2 PSK passwords. It analyzes wireless encrypted packets and then tries to crack passwords via the dictionary attacks and the PTW, FMS and other cracking algorithms. It is available for Linux and Windows systems. A live CD of Aircrack is also available.

Password Hash Cracker

Aircrack-ng tutorials are available here.

Download Aircrack-ng here.

How to create a password that’s hard to crack

In this post, we have listed 10 password-cracking tools. These tools try to crack passwords with different password-cracking algorithms. Most of the password cracking tools are available for free. So, you should always try to have a strong password that is hard to crack. These are a few tips you can try while creating a password.

  • The longer the password, the harder it is to crack: Password length is the most important factor. The complexity of a brute force password guessing attack grows exponentially with the length of the password. A random seven-character password can be cracked in minutes, while a ten-character one takes hundreds of years.
  • Always use a combination of characters, numbers and special characters: Using a variety of characters also makes brute-force password-guessing more difficult, since it means that crackers need to try a wider variety of options for each character of the password. Incorporate numbers and special characters and not just at the end of the password or as a letter substitution (like @ for a).
  • Variety in passwords: Credential stuffing attacks use bots to test if passwords stolen from one online account are also used for other accounts. A data breach at a tiny company could compromise a bank account if the same credentials are used. Use a long, random, and unique password for all online accounts.

What to avoid while selecting your password

Cybercriminals and password cracker developers know all of the “clever” tricks that people use to create their passwords. A few common password mistakes that should be avoided include:

  1. Using a dictionary word: Dictionary attacks are designed to test every word in the dictionary (and common permutations) in seconds.
  2. Using personal information: A pet’s name, relative’s name, birthplace, favorite sport and so on are all dictionary words. Even if they weren’t, tools exist to grab this information from social media and build a wordlist from it for an attack.
  3. Using patterns: Passwords like 1111111, 12345678, qwerty and asdfgh are some of the most commonly used ones in existence. They’re also included in every password cracker’s wordlist.
  4. Using character substitutions: Character substitutions like 4 for A and $ for S are well-known. Dictionary attacks test for these substitutions automatically.
  5. Using numbers and special characters only at the end: Most people put their required numbers and special characters at the end of the password. These patterns are built into password crackers.
  6. Using common passwords: Every year, companies like Splashdata publish lists of the most commonly used passwords. They create these lists by cracking breached passwords, just like an attacker would. Never use the passwords on these lists or anything like them.
  7. Using anything but a random password: Passwords should be long, random, and unique. Use a password manager to securely generate and store passwords for online accounts.


Password-cracking tools are designed to take the password hashes leaked during a data breach or stolen using an attack and extract the original passwords from them. They accomplish this by taking advantage of the use of weak passwords or by trying every potential password of a given length.

Password finders can be used for a variety of different purposes, not all of them bad. While they’re commonly used by cybercriminals, security teams can also use them to audit the strength of their users’ passwords and assess the risk of weak passwords to the organization.

Introduction to Authentication

In this article we’re going to explore different authentication mechanisms. An authentication mechanism (or method) is a way for you to prove that you’re allowed to access something. Passwords have been the default method of authentication for as long as most of us have needed to prove to a computer that we’re allowed to access it. However, passwords are not the only authentication mechanism.

Password hash cracker online

Authentication Methods

Something you know: Examples of this are your good-old password, bank card PIN or a safe-word when the alarm company calls your home; these are all examples of using something you know to authenticate yourself.

Something you have: Examples are a swipe card to access a secure area, a code sent to your cellphone as part of a login process (to prove you have your cellphone) or a SecureID token that provides a constantly changing code you need to enter to gain access – all are something you have that can be used to authenticate yourself.

Something you are: This is where biometric security comes in. To access our data center we have to put our index finger on a fingerprint scanner after swiping a card. Unless you steal someone’s index finger you won’t be able to access our data center, even if you’ve stolen a valid swipe card. Other biometric systems include retinal scans (the blood vessels at the back of the eye) and iris scans (the colored part of the eye).

Other attributes used for authentication: A few other attributes that you occasionally see used for authentication are:

  • Somewhere you are. E.g. at a physical address able to receive snail mail.
  • Something you can do. E.g. accurately reproduce a signature.
  • Something you exhibit. E.g. a neurological trait that can be scanned by an MRI.
  • Someone you know. E.g. that can be validated by a social network graph or chain of trust.

Our focus in this article is passwords. Most of us see them as an inconvenience – something you have to tolerate to be able to use a service you need access to. In this article we’re going to explain how computer systems have evolved in the way they process your password, how modern online applications do authentication and why it’s important to choose a strong password. Once you finish reading this you should have a working knowledge of hashing algorithms, how password cracking works and what “strong password” really means.

Plain Text Passwords

In the early days of computers and mainframes, passwords were stored in a database as plain text. When you wanted to sign-in, a gatekeeper application would ask you for your password. It would take whatever you typed in and check if it was equal to whatever it had stored in the database and if true, you were granted access.

As the Internet evolved and grew, malicious hackers started gaining unauthorized access to systems. Once they were in, they would immediately download the plain-text password database and have instant access to all users passwords. Developers and systems administrators needed to come up with a solution to this problem and the solution they came up with was ‘password hashing’.

Introduction to Password Hashing

Hashing Algorithms

Crack password hash online

Think of a hashing algorithm as a machine. In one end you input any text or binary data. Out the other end you get a number that is a certain length – lets say 32 digits long in our example. The data you feed in can be any size, from a few bytes to many terrabytes or larger. No matter what data you feed in, you get a 32 digit number (in this example) that uniquely represents the data.

What is amazing about a hashing algorithm machine is that if you feed something identical in you get the same 32 digit number. If you feed in War and Peace, you get a number. If you copy the book verbatim and feed in exactly the same text, you get the same number. If you change a single character in the novel, you will get a completely different number.

Hashing algorithms differ in the way they work and the most notable difference is the length of the number each one spits out.

  • MD5 which is extremely popular spits out 128 binary digits.
  • SHA2 spits out 256 bits (or binary digits).

When system administrators and developers first encountered the security problems with password databases that stored as plain text, they turned to hashing algorithms for help. What they came up with is, instead of storing your password in a database, they would just store a hash of your password. That is, the number that a hashing algorithm generates when it operates on your password.

When a user changes their password, or when a user account is created, the new password is typed in for the first time, the computer security application takes that password and runs it through a hashing algorithm and stores the resulting number in a database. The next time you try to sign-in and enter your password, the security system runs the password you entered through the same hashing algorithm and checks if the resulting hash matches the hash in the database (a hash is the number that a hashing algorithm spits out). If they match, then you’re allowed in.

No longer are passwords stored in clear text in a database. If a hacker steals the user accounts database, they don’t automatically have all passwords, all they have is a list of hashes.

Hashes are Not Perfect

Storing hashes of passwords instead of passwords themselves was a major breakthrough in information security. The story unfortunately does not end there. Now that hashes are commonly used to authenticate users instead of plain-text passwords, a hacker does not immediately have a list of all passwords when they steal the user accounts database. However, there is a way for a hacker to steal hashes and turn them back into passwords.

The method is relatively simple. When a hacker steals a database of hashed passwords, to reverse engineer the hashes (convert them back to passwords) the hacker generates hashes from a dictionary of words he thinks might be the passwords that were used. If any of those hashes match what he has in the database, he has managed to reverse engineer a hash and now knows what the original password is.


For example, lets say you have stolen a password database and you have the hash of the password that ‘mark’ uses. You want to know the actual password for the ‘mark’ account, so you take the word “banana” and run it through the same hashing algorithm that the password database uses. You end up with a number and if the number matches the hash in the password database for user ‘mark’, you now know his password. If it doesn’t match then I try ‘pear’ and ‘apple’ and ‘ApplePear435’ and progressively more words and more complex word combinations.

So to crack a password you need to take a very large dictionary of passwords and hash each of them, then compare those hashes to what is in the password database you stole and when you get a match you know the original password.

The problem is that generating hashes of words takes time. Each word might take a few milliseconds to hash. So you need a very fast computer to do this. Or alternatively you can take a very large dictionary of well-known passwords, generate hashes from all the words and store the words and their hashes. Then every time you steal a password database you can just reuse that list of words and their hashes. You don’t need to recreate the hashes every time. All you need to do is match your list of hashes with hashes in the password database and where you get a match you’ve cracked the password.

What we’ve just described is called a “Rainbow Table”. Rainbow tables are a method commonly used by hackers to crack password databases that use ordinary hashing without any additional security. Rainbow table attacks on hashed password databases are very effective because they are fast. To help protect against these kinds of attacks, developers and system administrators came up with a technique called ‘Salting’ Passwords.

Understanding Password Hash Salting

How Salts Work

A rainbow table attack relies on a hacker being able to take a dictionary and pre-computed hashes of the words in that dictionary and compare those hashes to the hashes in a password database. To defeat rainbow tables, the information security community invented “salted hashes”. The concept is relatively simple:

When you create a new password, instead of just running the password on its own through a hashing algorithm, you do the following: Generate a random little piece of text. Put that text at the beginning of the password. Then run the combination of the little piece of text and the password through a hashing algorithm. Then you store the little piece of text (as plain text) and the resulting hash. That little piece of text is called a “Salt”.

When someone wants to sign in, they type their password. The security application takes the stored piece of text or Salt, puts it at the front of the password that was entered and runs it through the same hashing algorithm to get a hash. It compares the resulting hash with the hash stored in the database and if they match you are granted access.

It’s important to note that the salt or “little piece of text” is stored as plain text with the hash. It’s also important to note that the salt is random for each password. In other words every password has its own special little piece of text.

This is a relatively simple concept but it makes cracking hashed passwords significantly more difficult.

Why Salts Make Cracking More Difficult

Recall that rainbow tables are a dictionary of words and the hashes of those words. In the above example, we used salts (the little piece of text) combined with our password to generate hashes. If a hacker wants to crack passwords, he can’t use his rainbow table because the rainbow table is just a hash of individual words. He needs to combine those words with the stored salt to get the actual hash that is stored in the database.

That makes cracking passwords much harder because it means a hacker’s rainbow table is useless and it forces him to recompute hashes for every word in his dictionary.

Here’s an example of a password being created for someone called “good-guy”:

  1. The system administrator creates a new account on the system for a user called good-guy with password ‘apple’.
  2. The system automatically generates a short piece of text “yrtZd”.
  3. The system takes the short text and combines it with ‘apple’ to create the text “yrtZdapple”.
  4. It then runs “yrtZdapple” through a hashing algorithm and ends up with a 128 bit number.
  5. The system stores that number as the hashed password for good-guy’s account.

Here’s how “good-guy” signs in:

  1. ‘good-guy’ arrives at work and tries to sign-in. He types in ‘apple’ as his password.
  2. The system retrieves the record for the ‘good-guy’ account. That record is a hash and the text “yrtZd” which is a salt.
  3. The system combines the word “apple” that good-guy just typed in with the salt to make the text “yrtZdapple” and runs a hashing algorithm on that.
  4. The system checks to see if the hash it retrieved matches the hash it just generated, it does match and it allows ‘good-guy’ to access the system.

Here are the steps a hacker takes to crack good-guy’s salted password:

  1. A hacker arrives and manages to hack into the system and he steals the database of password hashes and salts.
  2. The hacker tries to use pre-computed hashes of words in his English dictionary. One of the hashes is of the word ‘apple’ but that doesn’t work because the hacker needs to combine the salt, which is ‘yrtZd’ with the word apple before he hashes it.
  3. The hacker realizes his pre-computed rainbow table is useless. He needs to combine the salt for good-guy’s password with every word in his dictionary and then see which hash matches. That means he needs to recalculate hashes for his entire dictionary which is going to take significantly longer.

As you can see from the above example it is possible to crack passwords that use salts. It just takes much longer and requires more processing time.

Hashed passwords that use salts are what most modern authentication systems use. It does not make a password uncrackable but it does slow down the cracking process because it forces a hacker to hash every password that they want to guess.

You now have a working knowledge of how modern password authentication works on systems like WordPress, Linux, Windows and many other systems. You also understand why salts are useful – because they prevent a hacker from very quickly cracking password hashes by using rainbow tables. Now that you understand the benefit of salted hashes it may seems obvious to you that everyone should use them when building authentication systems. Unfortunately they don’t – there are many examples of custom-built web applications out there that did not use salts – they just used plain old hashes and when they are hacked it is relatively easy to reverse engineer the passwords using rainbow tables.

GPUs and the Home Supercomputer

Because modern password cracking uses salts, if you want to use a dictionary of words to try to crack a password database, it means that you are going to be hashing every one of those words with a salt each time you want to make a guess. So it becomes useful to be able to do hashing fast.

It turns out that modern graphics processing hardware (GPUs or graphics processing units) is very good at hashing and can do it in parallel. Using an off-the-shelf high-end gaming graphics card you can hash passwords thousands of times faster than even the fastest CPU on the market. This has resulted in most competent hackers purchasing GPUs for password cracking or using an online GPU accelerated password cracking cluster.

In just a few seconds, a modern GPU can allow a hacker to make several million password guesses.

Many of the algorithms that are used for hashing, like MD5, were developed decades ago when CPUs were very slow and GPUs did not yet exist. To try to compensate for the increase in computational power we’ve experienced, developers of authentication systems have come up with something called “stretching”. What this does is take a hashing algorithm like MD5 and instead of running it once on the password and the salt, it runs it thousands of times. In other words, the system will generate a hash, then generate a hash of the hash, then generate a hash of the hash of the hash and so on for thousands of cycles.

The result is that when a password cracker wants to try to guess a password, for each guess they don’t just have to generate one hash, but thousands of hashes. This has the effect of slowing things down but it still isn’t enough.

WordPress uses salted hashes to store passwords using the MD5 hashing algorithm. It stretches MD5 by doing over 8000 rounds of MD5 to try and make password guessing more computationally intensive. But a modern GPU can guess WordPress passwords at a rate of 3.2 million guesses per second. That is quite amazing in terms of performance. When MD5 was developed and when salts were first invented, hashing lots of words to try and guess a password took a long time. You might get a few guesses every second. Now we can achieve 3.2 million guesses a second.

You now have a good understanding of how passwords are used on services like Gmail, Yahoo, on WordPress websites and most other services that use a password to authenticate you. You also have a reasonable understanding of how to crack passwords.

Why Strong Passwords are Important

If one of the services you use is compromised and hashed passwords are stolen, even a teenager in his bedroom with a gaming PC under $2000 can try to turn your hashed password into a plain text password at a rate of 3.2 million guesses per second and possibly much faster. When you consider that eHarmony, LinkedIn, Google and many other well known brands have been successfully hacked over the past few years, it is quite likely that a service you use will have its hashed passwords stolen some time in the near future.

This means that it is important to use passwords that are very difficult to crack. Any password with less than 12 characters is weak.

How Crackable Is a Given Password

You need to assume a service you’re using is run by reasonably competent system administrators and that they are, at a minimum, storing hashed passwords rather than plain-text. For safety sake assume they’re using a weak hashing algorithm. In this case we’ll assume 1 round of salted MD5. Note that we’re giving them the benefit of the doubt that they’re actually salting their passwords.

If your password is 9 characters of lowercase numbers and letters, that gives you 101,559,956,668,416 possible passwords. (36 to the power of 9).

At Wordfence, we have an 8 GPU cluster that can crack salted MD5 at a rate of 90.6 billion salted MD5 guesses per second. It will take us 1128 seconds or 18 minutes to crack your password if we are guessing every single combination of letter and number 9 characters long. We can do it faster than that if we exclude certain patterns.

Now you begin to understand why longer passwords are better. You also begin to see why you should not just use letters and numbers, but special characters too. Any password that uses just letters and numbers is weak. Here’s why:

If you have a password made of just 1’s and 0’s and it’s 4 digits long, you will have:

If you have a password made of the digits 0 to 9 (that is 10 possible characters) and it is 4 digits long you have:

Now if you instead build your password out of all lower-case letters, upper-case letters, numbers and a set of 10 symbols, you have 26 + 26 + 10 + 10 = 72 possible characters. So if you have a password that is just 4 characters long you now have:

As you can see, every time you increase the number of characters your password is made up of, you get a huge increase in the number of possible passwords, even though you keep the length at just 4 characters in our example.

You get 26 million possible passwords from just 4 characters if you use a wider range of characters in your password. That really illustrates how important it is to use upper-case, lower-case, numbers and symbols in your password.

If you now expand the length of your password to 12 characters, you have 72 to the power of 12 or 19,408,409,961,765,342,806,016. Even with our 8 GPU cluster it would take us 2495937 days or 6838 years to guess your password if we try every possible combination.

We would consider a 12-character password that uses random (see next paragraph) upper-case letters, lower-case letters, numbers and symbols to be a strong password. And to be clear, it is a strong password even if the service you’re using is storing passwords using 1 salted round of MD5 which is relatively weak. For comparison, WordPress uses over 8000 rounds of salted MD5 which of course makes it 8000 times slower for a hacker to crack WordPress passwords.

It is important to note that your password should be random characters and not made up of patterns like beginning or ending with a number or dictionary words. As soon as you introduce dictionary words and predictable patterns into passwords, they become significantly easier to guess because a password cracker can simply exclude everything that does not match a predictable pattern.

Crack Password Hash Online

As computers get faster at hashing, what will developers do?

If the trend over the last few years is anything to go by, reverse engineering hashed passwords back into their plain-text is going to keep getting faster at an increasing rate. The GPU cluster that we built to audit passwords for Wordfence customers is faster at hashing than the fastest computer on Earth in 2003. This is an illustration of how fast computing power is increasing.

The past 5 years has seen an explosion in purpose built hardware that does what a CPU would previously have been used for. The difference is that this hardware processes in parallel and is therefore much faster. The consumer gaming GPUs that we have discussed above contain over 2000 cores that can do calculations in parallel. Another area that has been fuel for innovation in parallel computing is Bitcoin mining hardware. You can buy ASICs and FPGAs which are both ways of creating an application on a chip – and both can perform tasks like hashing in a massively parallel fashion. Bitcoin miners use ASICs and FPGAs for mining and have driven the price of this hardware down. It can also be used to crack passwords in parallel and at very high speed.

If we assume that hardware will keep getting faster at an increasing rate, we need to focus on how we store passwords. Using hashing to store passwords is widespread and is the accepted solution for now.

Can we use better hashing algorithms?

In computer science we usually strive to make algorithms faster. Paradoxically, a better hashing algorithm for passwords is one that is slower, or computationally more expensive.

The benefit of a more expensive and slower hashing algorithm is that if you can slow down how long it takes to hash a password, you are slowing down how fast hackers can guess passwords. Algorithms like bcrypt let you specify “complexity” which affects the speed at which hashing occurs and therefore the speed at which guessing occurs.

Another useful algorithm is scrypt which is designed to make it difficult to do calculations in parallel. That means that a hacker can no longer use the 2000 cores in their GPU to try to crack your password at the same time. They instead need to make one guess at a time.

Hashcat Ntlm

These options are not without problems. Application developers like Facebook and Google want to provide useful services to you. They become popular and have 10s of thousands of customers that want to log in. If they use a hashing algorithm that takes say 5 seconds per hashed-password on a server, that means they need 5 servers just to allow 1 user per second. They would need 50,000 servers to be able to allow 10,000 users per second to sign-in. For Facebook that might be unacceptable and they may opt for a faster but weaker hashing algorithm.

There are a few interesting options to allow slower hashing without overloading servers that are being discussed in the information security community. One of them is quite simple and it’s called “server-relief”. The way server-relief works is it uses a slower hashing algorithm like bcrypt or scrypt, and actually does most of the hashing in your web browser when you are signing in. That uses your workstation’s CPU instead of the computing power of the servers belonging to the service that you are signing into.


A hash that took longer to calculate is then sent by your web browser to the server you are signing in to, which turns that into a salted SHA256 hash and stores it. The effect is that you used a CPU intensive hashing algorithm that might be hard to parallelize and is slower. Your web browser did most of the computation which saved valuable CPU cycles on the server you are signing in to. This would allow an authentication server to handle a large number of customers signing in and to use a computationally expensive hashing algorithm without getting overloaded.


That concludes our introduction to hashing and passwords. We have covered the history of password storage, why password hashing is used, what rainbow tables are and how salted passwords defeat a Rainbow Tables attack. We have also discussed how password cracking is done and how hardware like GPUs ASICs and FPGAs can accelerate cracking. We also gave you a brief introduction to algorithms that make it more difficult to crack passwords and a performance architecture that allows the use of a strong hashing algorithm without overloading servers.