Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

The Definitive Guide to Cryptographic Hash Functions (Part II)

Last time I talked about how cryptographic hash functions are used to scramble passwords.  I also stressed why it is extremely important to not be able to take a hash...
Rob Sobers
2 min read
Published August 14, 2012
Last updated January 17, 2023

Last time I talked about how cryptographic hash functions are used to scramble passwords.  I also stressed why it is extremely important to not be able to take a hash value and work backwards to figure out the plain text input.   That was Golden Rule #1 (pre-image resistance).

But if hashes can’t be reversed, why do we always hear about passwords being cracked?  And why the heck are people always telling us to create really complex, hard-to-remember passwords?

Does Password Size Really Matter?

In Part I, you saw that both “dog” and “the eagle flies at midnight” generated MD5 hash values of the same exact length.  What’s more, the hashes are equally hard to reverse.  So what makes weak passwords weak? Answer: Brute force attacks.

Brute Force Attacks

Instead of reversing the hash of your password, I can simply keep trying different inputs
until I guess one that generates a hash that matches yours.  (Remember: the hashing algorithms are public). This is called a brute force attack and it can be very effective at cracking weak passwords.  (In fact, thanks to my spotty memory, I brute force my 4 digit garage door code almost every day.)

A weak password that is just 3 lowercase alpha characters (e.g., “dog”) requires a maximum of 17,576 times to generate a match.   An attacker can further reduce the number of guesses by limiting it the “guesses” to the most likely candidates, like 3 character words that exist in the dictionary (try “dog” but don’t try “fgz”).  This variation is unsurprisingly called a dictionary attack.

In contrast, if a password is 8 case-sensitive alpha-numeric characters (e.g., “d0G5Fr0g”), an attacker has to guess potentially 218,340,105,584,896 times.  No thanks!

Rainbow Tables

Generating billions of password hashes can be time-consuming and computationally expensive.  As a result, crackers sometimes use rainbow tables – gigantic, pre-computed tables of hash values for every possible combination of characters—to speed up the cracking process.

Rainbow tables take a really long time to generate, but once they’re available (e.g. at freerainbowtables.com), they can help attackers find a match for a given hash in seconds versus hours, days, or months if they have to compute all the hashes themselves.

It should be obvious by now that the more complex your password, the less likely its hash will be in a rainbow table.  Some of the most effective rainbow tables available are ones that contain hashes of common dictionary words, so never, ever use dictionary words as your password!

So, given that brute force attacks and rainbow tables exist, aren’t we all vulnerable?  Fear not, my friends.  Part III will feature a rather tasty solution (salt).

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

pass-the-hash,-part-iii:-how-ntlm-will-get-you-hacked
Pass the Hash, Part III: How NTLM Will Get You Hacked
The most important takeaway about PtH is that the password hashes that are stored in memory (and grabbed by hackers) are a feature of Single Sign On.
penetration-testing-explained,-part-vi:-passing-the-hash
Penetration Testing Explained, Part VI: Passing the Hash
We’re now at a point in this series where we’ve exhausted all our standard tricks to steal credentials — guessing passwords, or brute force attacks on the hash itself.  What’s...
varonis-seven-part-guide-to-penetration-testing
Varonis Seven Part Guide to Penetration Testing
Our sprawling pen-testing series has taken on a life of its own!  For your convenience and blog reading pleasure, we’ve assembled all the links to this six seven part series below....
working-with-windows-local-administrator-accounts,-part-ii
Working With Windows Local Administrator Accounts, Part II
Before we delve into Restricted Groups, I thought it might be worthwhile to take a closer look at how hackers take advantage of Administrator passwords. For Pass-the-Hash fans, this post...