Category: hashing

A new study by Specops Software explores the resilience of SHA256, a commonly used cryptographic hashing algorithm, against modern password-cracking techniques. The findings emphasize the algorithm’s effectiveness in protecting data, especially when combined with strong, complex passwords. However, the research also highlights vulnerabilities when using short or simple passwords, even with this robust technology.

SHA256, renowned for its collision resistance and speed, is widely implemented in areas like blockchain, digital certificates, and password storage. However, its simplicity—originally a strength—has become a potential liability in the era of advanced GPU technology. Using an Nvidia RTX 4090, researchers demonstrated how weak passwords, such as eight-character combinations, could be cracked in seconds. This alarming finding underscores the limitations of SHA256 when used without additional security layers like salts or password policies.

The study stresses the importance of password length and complexity as critical deterrents to brute-force attacks. Passwords exceeding 14 characters, combined with upper and lowercase letters, numbers, and symbols, exponentially increase cracking difficulty. Furthermore, security mechanisms like salting (adding unique random data to hashed passwords) or key stretching (intentionally slowing hash generation) can significantly enhance SHA256’s defenses.

Beyond algorithmic capabilities, the research brings attention to human factors. Poor password hygiene—such as reusing passwords across multiple accounts—remains a pervasive risk. Highly secure hashing mechanisms like SHA256 cannot compensate for weak user practices. Organizations are urged to enforce stringent password policies, encourage multi-factor authentication, and educate users on password security.

Specops Software’s research highlights a pressing need for a layered approach to digital security. While SHA256 remains a vital tool in safeguarding sensitive data, its limitations in password-hashing applications should prompt developers and security teams to explore complementary strategies.

Darren James, Senior Product Manager at Specops Software, said this about the findings: “It’s a cybersecurity blunder to store passwords in plaintext, as anyone who gains unauthorized access to the database could simply read them. Hashing algorithms solve this problem to an extent, although it is technically possible to crack hashed passwords through brute-force guessing via powerful hardware and sophisticated software.”

“Even with dictionary lists and other aids, hackers still often only have the chance to crack the shortest, simplest passwords. SHA256 is a relatively modern hashing algorithm and as our research shows, it can easily put the ‘time to crack’ up to thousands (or even millions) of years for strong passwords. However,  it’s important for organizations to remember that hashing algorithms can be rendered irrelevant due to end user mistakes. For example, a password becoming compromised through password reuse.”

As cyber threats grow increasingly sophisticated, organizations and individuals alike must take responsibility for staying ahead. Strengthening password protocols and leveraging advanced security technologies are essential to addressing evolving risks.

The post Research Highlights SHA256 Password Security Strengths and Risks appeared first on IT Security Guru.

In the realm of cybersecurity, understanding the nuances between hashing, salting, and encryption is crucial for safeguarding sensitive data. Each method serves a distinct purpose in protecting information, and grasping their disparities is essential for implementing robust security measures.

Hashing: The Digital Fingerprint

Hashing is a one-way process that transforms input data into a fixed-size string of characters, often referred to as a hash value or digest. The key characteristic of hashing is its irreversibility—once data is hashed, it cannot be reversed to retrieve the original information. This makes hashing ideal for password storage, as even if the hash is compromised, the original password remains secure.

Common hashing algorithms include MD5, SHA-256, and bcrypt. However, due to vulnerabilities in older algorithms like MD5, contemporary applications lean towards more secure options like SHA-256.

Salting: Adding a Pinch of Security

While hashing provides a strong defense against data breaches, it is not immune to attacks like rainbow table attacks, where precomputed tables of hash values are used to crack passwords. This is where salting comes into play.

Salting involves adding a unique random value (the salt) to each piece of data before hashing. The salt ensures that even if two users have the same password, their hashed values will be different due to the unique salt. This fortifies the security of hashed passwords, making them resistant to precomputed attacks.

Encryption: The Secure Communication Channel

Encryption, unlike hashing and salting, is a two-way process that involves transforming data into a cipher using a specific algorithm and a key. The key is required to decrypt the data back to its original form. Encryption is commonly used to secure data during transmission, such as in online transactions or communication.

There are two primary types of encryption: symmetric and asymmetric. Symmetric encryption uses the same key for both encryption and decryption, while asymmetric encryption employs a pair of public and private keys. Public keys are used for encryption, and private keys for decryption.

In conclusion, hashing, salting, and encryption play distinct roles in fortifying data security. Hashing creates irreversible fingerprints for data, salting adds an extra layer of uniqueness to hashed values, and encryption safeguards data during transmission. Implementing a combination of these techniques provides a robust defense against various cybersecurity threats, ensuring the confidentiality and integrity of sensitive information.

The post Unraveling the Differences: Hashing, Salting, and Encryption Explained appeared first on Cybersecurity Insiders.

New Specops Software research has unearthed the length of time it takes modern attackers to brute force user passwords. Plain text password storage is rare in these modern times, requiring attackers to adopt password cracking methods to make use of the majority of (hashed) password leaks. However, with the help of newer password-cracking hardware and software, the time to crack passwords is now considerably short.

Darren James, Senior Product Manager at Specops Software, states “the recent headline-making news of the possibilities of AI have some security researchers and IT teams wondering what this technology means for password security. We’ve long known that passwords are vulnerable to brute force cracking attempts. Recent advancements in automation and hardware have made these attacks all the more accessible for today’s cybercriminals.”

Below is a breakdown of the time it takes for to crack passwords:
MD5 hashed passwords time to crack
When creating a strong password that will take a substantial length of time to crack, it must contain numbers, letters, symbols, both lower and upper case and be of 10 characters long. This will buy you 3 years. If your password is 11 characters long and follows the same creation method, then it will take 279 years – unfortunate but an issue for the many generations that precede you.
By contrast, if your password is only 8 characters long and only contains numbers, it will be broken ‘instantly’.

Also, if you are using a password that has already been compromised then you may as well pack your bags and close the account because hackers will again break into it immediately. Hence why security best practices always advocate against password reuse – no matter how long the password is.

The full research can be found here.

The post Time Taken For Hackers to Crack Passwords Revealed appeared first on IT Security Guru.