📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
DAY 10 OF 100
100-Day Ethical Hacking Course
🔴 Day 10 — Password Security & Attacks – How Password Attacks Work
Day 100 — Professional Pentester
Day 11: Web Application Security →
10
Passwords are the most widely used authentication mechanism in existence — and the most consistently misunderstood security control. Organisations spend millions on firewalls and endpoint protection, then get breached because an employee used “Summer2024!” as their VPN password.
Today we go inside the science of how passwords are stored, why weak ones fall so quickly under testing, and what the actual defence looks like. As an ethical hacker, you’ll test credential security professionally. As a security professional, you’ll use this knowledge to build policies that hold up.
⚖️ Professional & Legal Context
Password security testing is a core component of professional penetration tests. Understanding how these techniques work is essential for:
✓Testing an organisation’s password policy during an authorised assessment
✓Demonstrating why “Password123” fails immediately — making the case for better policy
✓Understanding what attackers do with credentials found in a breach
✓Designing authentication systems that resist real-world attacks
✗All practical exercises in this lesson target your own lab systems only — never external accounts or services without explicit authorisation
📋 Day 10 Contents
- How Passwords Are Stored — Hashing Explained
- Hash Types — From MD5 to Argon2
- Why Salting Changes Everything
- Attack Types Explained
- Wordlists — Where rockyou.txt Came From
- Hashcat — Offline Hash Cracking
- Hydra — Online Authentication Testing
- Building Credential Security That Holds
- Day 10 Practical Task
How Passwords Are Actually Stored — The Hashing Mechanism
No legitimate system stores your password in plaintext. If they did — and some still do, disastrously — any database breach would immediately expose every user’s password. Instead, passwords are passed through a hash function: a mathematical algorithm that converts any input into a fixed-length output string. The critical property of a hash function is that it’s one-way — you cannot mathematically reverse it.
How hashing works — from your Kali terminal
Hash the same string with different algorithms
echo -n “Password123” | md5sum
42f749ade7f9e195bf475f37a44cafcb –
echo -n “Password123” | sha256sum
c6ba91b90d922e159893f46c387e5dc1b7a0a47b17cb275f9e5de7c41fc38de8 –
echo -n “Password123!” | md5sum # One character different
8421d28b96ec406cdbc9ccece48a9b81 –
Completely different hash — even one character change = entirely new hash
This is the key insight: the hash is deterministic but not reversible
“Password123” always produces the same MD5 hash
But you cannot take the MD5 hash and compute “Password123” from it
How login verification works:
User types: “Password123”
System hashes: MD5(“Password123”) → 42f749ad…
Stored hash: → 42f749ad…
Match → login succeeds (system never knew the real password)
So if hashing is one-way — how do attackers crack passwords? They don’t reverse the hash. They guess the password, hash their guess, and see if the hash matches. If “Password123” hashed with MD5 produces 42f749ad... and they find 42f749ad... in a database dump — they hash every word in their wordlist until one matches. That process is password cracking.
Hash Types — From Dangerously Fast to Deliberately Slow
Not all hash algorithms are equal for password storage. The key metric is speed — and this is counterintuitive. For passwords, slower is better. A fast hash can be computed billions of times per second by modern hardware. A deliberately slow hash — designed for password storage — might allow only a few thousand attempts per second, making large-scale guessing computationally impractical.
Algorithm
Speed
Designed For
Password Storage?
Notes
MD5
~60 billion/sec (GPU)
File integrity
❌ Never
Cryptographically broken. Trivially cracked.
SHA-1
~25 billion/sec (GPU)
Certificates (deprecated)
❌ Never
Deprecated by major standards bodies.
SHA-256
~10 billion/sec (GPU)
Data integrity, TLS
⚠️ Poor choice
Too fast — without salt+iterations, weak.
bcrypt
~20,000/sec (GPU)
Password storage
✅ Good
Built-in salt, adjustable cost factor. Widely used.
scrypt
~1,000/sec (GPU)
Password storage
✅ Better
Memory-hard — expensive on GPU farms.
Argon2
~500/sec (GPU)
Password storage
✅ Best
Winner of Password Hashing Competition. Recommended by OWASP.
💡 The speed gap explains everything: A GPU can attempt ~60 billion MD5 hashes per second. At that rate, every possible 8-character password using uppercase, lowercase, and numbers (62 characters, 218 trillion combinations) falls in about 60 minutes. The same hardware against bcrypt? 218 trillion combinations would take over 300 years. Algorithm choice is the first and most important line of defence.
Why Salting Changes Everything — The Defence Against Precomputation
Even before cracking tools existed, attackers solved the “hashing is slow” problem with rainbow tables — precomputed tables mapping common passwords to their hashes. If your database uses unsalted MD5 and an attacker has the rainbow table, they look up every hash instantly. No computation needed at attack time.
Salting defeats this completely. A salt is a random string generated uniquely for each user, prepended or appended to their password before hashing. The same password “Password123” produces a completely different hash for every user, because each gets a unique salt. Rainbow tables become useless — they’d need a separate table for every possible salt value.
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)