We have established now passwords are stored in Part 3 and the most common ways of extracting hashed passwords in Part 4. In Part 5 we will examine how to crack a hashed password.
After the previous post you likely have a short list of random characters that you want to translate into the password the user actually typed into the computer. In other words, crack the password. How the heck do you do it? Is it even possible given the impressiveness of the hash algorithms? Yes it is and there are a number of tools that will even do it for you!
Determining the hash algorithm
The first step is to figure out what algorithm was used to convert the typed in password to gobbledygook. In theory, this should be incredibly difficult. There are literally endless ways that it could be done. In practice though it is quite easy – just about everyone uses the same couple algorithms!
Most websites are going to do what everyone else does – if the hash algorithm works well enough for others, it must be pretty good. In fact, hardly any small website owner is going to put any thought into this – they are just going to use pre-built solutions. Most pre-built solutions and programming languages have the same hash algorithms built in. MD5 by far the most common and SHA-1 is gaining in popularity.
Not to oversimplify things, odds are if your hash is 32 characters long, you’re looking at DM5. 40 characters long, SHA1.
Let’s crack 94804c0a8c1771947cfba8ec3e0a4c30
The first step is determining the hash algorithm used. Keep reading…