# Password Hashing: Security and Strength

##### Owen Kroeger
##### Prof. Sluiter
##### ITT-305

## Why Hashing is a Better Choice for Password Security than Encryption

Hashing is often preferred over encryption for password storage due to its one-way nature. While encryption can be reversed (decrypted) with the correct key, hashing is a one-way function. Once a password is hashed, it cannot be directly reverted to its original form. This makes it more secure for password storage because even if the hashed passwords are stolen, the actual passwords cannot easily be retrieved. Additionally, modern password storage methods use **salting**, where random data is added to the password before hashing, making it much harder for attackers to use precomputed tables (rainbow tables) to reverse-engineer passwords.

## Other Than Passwords, How is Hashing Used to Improve Data Security?

Beyond password security, hashing is widely used in various data security contexts:

- **Data Integrity**: Hashing is used to verify that data has not been altered during transmission or storage. By comparing the hash of a file before and after transmission, we can detect whether the data has been tampered with.
- **Digital Signatures**: Hashes are used in digital signatures to make sure that a document has not been changed since it was signed. The hash of the document is encrypted with the sender’s private key, and any modification to the document would result in a different hash.
- **Blockchain**: Hashing is fundamental in blockchain technology. Each block in the blockchain contains a hash of the previous block, creating a secure chain. Altering one block would break the chain due to hash mismatch, making it evident that tampering has occurred.

## What Insights Did You Learn About Password Strength?

An insight I gained through this was that using a long string of words as a password is still quite insecure. I always wondered why the default (generated) passwords for things were complicated strings of numbers, letters, and characters, but now I understand how dictionary attacks can be easily used to crack word passwords. I also now understand why increasing the size of the library used in a brute force attack (via using symbols) greatly increases the security of the password.

## Password Cracking Time Estimate Table

Below is the password cracking time estimate table based on the hashing speed of 5,000,000 guesses per second (based on my CPU's average run):

### Password Cracking Time Estimates (Based on 5,000,000 guesses/second)

| Password Length | Alphabet Size | Total Combinations      | Time to Crack           |
|-----------------|---------------|-------------------------|-------------------------|
| 5               | 26            | 26^5 = 11881376          | 2.38 seconds            |
| 6               | 26            | 26^6 = 308915776         | 1.03 minutes            |
| 7               | 26            | 26^7 = 8031810176        | 26.77 minutes           |
| 8               | 26            | 26^8 = 208827064576      | 11.60 hours             |
| 9               | 26            | 26^9 = 5429503678976     | 12.57 days              |
| 10              | 26            | 26^10 = 141167095653376  | 326.78 days             |
| 11              | 26            | 26^11 = 3670344486987776 | 23.27 years             |
| 12              | 26            | 26^12 = 95428956661682176| 605.21 years            |
| 8               | 52            | 52^8 = 53459728531456    | 123.75 days             |
| 8               | 72            | 72^8 = 722204136308736   | 4.58 years              |



### Findings and Best Practices for Creating Passwords

From the password cracking time estimate table, we can draw several conclusions:

1. **Longer Passwords are More Secure**: Increasing the password length significantly increases the number of combinations an attacker must guess. For example, a password of 8 characters using the 26-letter alphabet takes over 11 hours to crack, while a 12-character password takes over 600 years.
   
2. **Increase Alphabet Size**: Using more characters, such as adding numbers, symbols, and uppercase/lowercase letters, further increases password strength. In my example, an 8-character password using 52 characters (letters plus upper and lowercase) takes just under 124 days to crack, while using 72 characters extends that to over 4.5 years.
   
3. **Best Practices**: Based on these findings, it is clear that we should:
   - Use passwords of at least 12 characters.
   - Include a mix of letters, numbers, and symbols.
   - Avoid easily guessable passwords such as common words or phrases.
   - Consider using a password manager to generate and store complex, unique passwords for each site or service.


![firsthash.png](attachment:381f7d31-0fea-4850-99c9-300324d37d04.png)

**Caption:** ↑ This picture shows the result of Part 2 where we ran the same password through different hashing algorithms 10000 times each and compared the run times against each other.

![dictionary.png](attachment:593b4e08-8347-411d-8350-6bb5d95ef5e4.png)

**Caption:** ↑ This is the result of using the MD5 algorithm with a Dictionary Attack to crack the password **helloworld**.

![bruteforce.png](attachment:9dfb0aae-674e-4aa9-b39f-bebcd97b76ee.png)

**Caption:** ↑ This picture shows a brute force attack with MD5 finding the password **k@8{4**.

![prefix.png](attachment:bdd36a77-cc48-4bff-b882-e7db0e6c521c.png)

**Caption:** ↑ Here I tried to use a prefix **ilove** with the password **ilovedogs**, and it got cracked immediately by a dictionary attack.

![blockchain.png](attachment:57def2e4-83c5-44a5-9900-1c807e743aa5.png)

**Caption:** ↑ This picture shows the result of me testing out the blockchain code with three simple blocks.