Stolen password activity


Your task

Here is a ‘stolen’ password hash list. The format is username:password_hash. In this scenario, you play the role of the hacker. You have the list of usernames and the hashes of the associated passwords for a web service.

Some of the users may well have used common passwords. Without any other information, this doesn’t help because it’s just as difficult to brute-force the password ‘mittens’ from its hash as it would be to find, by brute force, the password ‘sdfhg.28b!8GGG=’ from its hash.

However, if we did try to brute-force these two, we would find the answer to the first one if we tried every word in the dictionary. It might take a while, but it could be done without too much difficulty. There are around 150,000 English words in common use – let’s say we include archaic and derivative words and make the total number of words 250,000. Assume it takes 1 second per hash. That means it would take around 3 days to generate a hash of every possible word, assuming a single thread and no parallelism. To find the second one, we would have to try every possible combination of letters, numbers and punctuation. Assume we limit the search to passwords of up to length 15 and there are 72 possible characters (26 lowercase, 26 uppercase, 10 digits and 10 punctuation marks), then the total number of possible passwords is: 72+722+723+⋯+7215=7.36×1027, which would take around 230,000,000,000,000,000,000 years at the rate of 1 hash per second.

Attackers have access to lists of previously calculated hashes, too. This means that there is probably already a database entry for ‘mittens’ and its hash, so ‘reversing’ it is really just a matter of looking up the answer.

See if you can find an online database of hashes and use it to break in to any of the accounts in the stolen list of password hashes.

Share this article:

This article is from the free online course:

An Introduction to Cryptography

Coventry University