Understanding and securing hashed passwords

Your password is the first line of defense against unauthorized access to user accounts; however, the best practices for creating and securing them have changed. The National Institute of Standards and Technology (NIST) now prioritizes password length over complexity, emphasizing the use of long passphrases. However, even strong passwords should never be stored in plaintext. Hashing has become a critical security measure to prevent passwords from being fully exposed in the event of a data breach.

The role of hashing algorithms in password protection

Hashing algorithms convert passwords into fixed-length strings of characters that cannot be easily reversed. If attackers gain access to a hashed password database, they still need to crack the hashes before they can use the credentials.

See also: Differences between encryption and hashing

Can hackers crack hashing algorithms?

According to The Hacker News, “Because hashing algorithms are one-way functions, the only method to compromise hashed passwords is through brute force techniques. Cyber attackers employ special hardware like GPUs and cracking software (e.g., Hashcat, L0phtcrack, John The Ripper) to execute brute force attacks at scale—typically millions or billions or combinations at a time.” This means that while hashing is a strong security measure, not all hashing algorithms are equally secure. However, the difficulty of cracking a password depends on the hashing algorithm used and the complexity of the password itself.

How cyberattackers crack hashed passwords

Despite hashing protections, cybercriminals have developed advanced techniques to crack password hashes. Some of the most common methods include:

• Brute force attacks: These involve systematically guessing password combinations using high-powered computing hardware, such as GPUs.
• Password dictionary attacks: Attackers use databases of common passwords, dictionary words, and known compromised credentials to guess passwords more efficiently.
• Hybrid attacks: These combine brute force and dictionary attacks, adding variations like numbers or special characters to dictionary words.
• Mask attacks: If attackers know a password follows a specific pattern (e.g., starts with a capital letter and ends with a number), they use that information to refine their guesses and crack passwords faster.

See also: HIPAA Compliant Email: The Definitive Guide

How to strengthen your password security

• Use long passphrases: A mix of words, numbers, and special characters increases password security.
• Implement multi-factor authentication (MFA): Even if a password is cracked, MFA adds an extra layer of security.
• Avoid reusing passwords: If one password is compromised, reusing it on multiple accounts increases the risk of widespread account breaches.
• Regularly update passwords: Change passwords periodically to reduce the risk of long-term exposure.
• Use a password manager: This helps store and generate strong, unique passwords for different accounts.

Go deeper: Password guidelines by NIST

FAQs

What is password hashing?

Password hashing is a security technique that converts passwords into fixed-length strings using cryptographic algorithms. This makes it difficult for attackers to retrieve the original password, even if they access the hashed version.

Why is hashing important for password security?

Hashing protects passwords from being stored in plaintext, reducing the risk of exposure in case of a data breach. Even if an attacker gains access to a hashed password, they must still crack it to obtain the original password.

What makes a strong password?

A strong password is long (at least 12-16 characters), includes a mix of uppercase and lowercase letters, numbers, and special characters, and avoids common words or patterns.

Related: 5 Steps to improve password security in healthcare