Choosing the right hashing algorithm - it’s all about slowness
Have you ever thought about the hashing algorithm used in your code? Are you still using MD5 or SHA-1 to hash your passwords? Do you think they are "secure" and brute forcing them takes a lot of time? Well ... let's take a look on different hashing algorithms and try brute forcing an example hash to see how long it takes.
Neither will I mention the tools used for the following brute force attacks nor will I explain how to configure them. I just want to visualize the differences between well-known hashing algorithms and how tough they are. Also I will not talk about salt, pepper or other spicy stuff – not this time.
To increase the speed I am using GPU power instead of slow CPU cycles. The hashed password is always the same for each algorithm: Pw#1! So we don’t have a high secure password at this time, but we have a good combination of upper- and lowercase letters, numbers and special characters. That’s quite enough for our tests.
The following logarithmic bar chart visualizes the time it takes to brute force the test password hashed by a specific hashing algorithm. I must admit, that the three long-running attempts of scrypt and bcrypt are estimated values based on the speed of the generation of one single hash.
Time to brute force the clear text password “Pw#1!” hashed by a specific hashing algorithm on a NVIDIA Quadro M2000M GPU
The chart shows the problem with older hashing algorithms which can be brute forced in the blink of an eye, because they can be generated in the blink of an eye – wait, what? These days, we have GPUs, cluster or cluster of GPUs that make generating hashes super fast. For older algorithms, tools are able to generate billions of hashes per second. Only modern hashing algorithms like bcrypt and scrypt are secure – relating to the brute forcing effort – because they are very slow. For special combinations of parameters like expansion rounds, parallelization options and key lengths it takes seconds to generate at least one (!) hash.
In the tests above we are using a very short password with the length of five, but after 12 rounds with bcrypt it takes over 3 years to brute force it. That’s too long for the battery of my notebook! 🙂