Password Hashing And Rehashing: Stop Hackers

Posted on

Unfortunately, due to past security lapses in other sectors, nearly everyone’s sensitive information is already publicly available online, making security breaches the standard in this day and age. It’s no longer as much of an emergency as it is an irritant to end users. The majority of us are aware that the systems we use hash our passwords most of the time, but how difficult would it be for a malevolent party to rehash passwords from the database?

As BCrypt hashing is built into Hashcat, it’s actually quite simple to use. The challenging aspect is comprehending Hashcat’s operating principles and hardware requirements. In short, as part of my job’s security protocols, I gather the hashes of each employee’s password from our website and use two distinct techniques to bruteforce them.

Password hashing and rehashing: stop hackers

Rehash passwords

The first method is a word list. In essence, hashcat uses a wordlist that I have assembled from a big list of previously compromised passwords, along with sports teams, city names, well-known first and last names, etc., to mix words and attempt every possible combination of substituting letters for digits, etc. It took me just under eight hours on an i7 12th Gen laptop CPU to break 15% of passwords the first time we attempted this using the first method.

Brute force

In less than a month, I was able to crack an extra 4% of passwords using the second approach, which is simply brute force and still uses hashcat. Crucially, this was all done on my work laptop, and it wasn’t even done with 9-character passwords. I could have cracked many more user passwords if I had a GPU rig similar to the ones used for cryptocurrency mining. When I attended a security conference where the speaker discussed this very topic, she claimed that with hardware costing roughly $800, you could crack a password with less than 16 characters in less than a year. I don’t wish to terrify anyone, but if there is no rate limiter and an attacker can target the hash directly, short, weak passwords can be easily cracked.

Strong password

Because of this, you should either create long, random passwords using a password manager or, if you want to remember the password, create a passphrase that consists of several words (ideally uncommon ones), numbers, symbols, lowercase, uppercase, and, if possible, native characters (i.e., use Chinese characters on your keyboard if it can support them rather than ASCII). Alternatively, you can sign in using a password (a hardware token) if the website permits it.

Every character introduced makes password cracking significantly more difficult. It follows that 148 is the result of 74 * 2 (due to the shift key) if we assume a conventional keyboard layout and that 27 keys (such as enter, F-Row, etc.) cannot be used. It therefore requires 148 guesses to crack a password with one character, 1482 guesses (21,904) for passwords with two characters, etc.


Imagine, if you will, a castle perched atop a hill, its towering walls bristling with defenses, and its gates sealed with an intricate lock. Within this stronghold lie treasures beyond measure, guarded only by the strength of a password. Yet, in the shadows, unseen by the naked eye, lurk the hackers, cunning and relentless in their pursuit of plunder.

But fear not, for within the heart of this fortress lies a secret known only to the wise: the art of password hashing. Like an ancient incantation, it transforms the plaintext password into an indecipherable string of characters, a cryptographic veil that shields it from prying eyes. No longer can the hackers lay claim to the riches within, for the password remains beyond their grasp, hidden within the labyrinth of cryptographic algorithms.

Yet, even as the defenders revel in their victory, the hackers remain undeterred. With relentless determination, they probe and prod, seeking the chinks in the fortress's armor. And so, the defenders, ever vigilant, devise a strategy anew: rehashing.

Rehashing, the process of repeatedly applying hashing algorithms to a password, adds an extra layer of protection to the fortress's gates. Like layers of armor upon armor, each rehashing iteration fortifies the password, making it increasingly impervious to attack. No longer a mere string of characters, the password becomes a fortress unto itself, its strength multiplied with each rehashing cycle.

But the battle is far from over, for the hackers are a cunning foe. Armed with an arsenal of tools and techniques, they launch their assault with renewed vigor, seeking to breach the fortress's defenses once more. Yet, as they clash against the impenetrable walls of hashed and rehashed passwords, they find their efforts thwarted at every turn.

For every attempt to decipher the password, the hackers are met with naught but frustration, as the cryptographic veil remains firmly in place. And so, they are forced to retreat, defeated by the indomitable spirit of those who guard the digital realm.

But let us not grow complacent, for the battle rages on, and the hackers are a relentless foe. With each passing day, they hone their skills and sharpen their blades, seeking ever more cunning ways to breach the defenses of the digital fortresses.

And so, the defenders must remain ever vigilant, constantly adapting and evolving their strategies to meet the ever-changing threat. For in the endless expanse of cyberspace, there can be no rest for those who guard its treasures.

So, dear reader, take heed of the tale of password hashing and rehashing, for it is a saga of triumph and perseverance in the face of adversity. Let it serve as a reminder of the importance of vigilance and preparedness in the ongoing battle to safeguard our digital world.