Image for post
Image for post

Under starter’s orders … it’s the hash race

A hash signature is used to create a digital fingerprint for data. If it’s one bit of data or a whole network of data, we can produce a digital finger print for it. If we change one bit in the data, we should create a completely different hash signature. And don’t expect there do be some fancy mathematics to reverse it — as it’s a one way function.

Unfortunately they can be cracked using a dictionary attack (trying words from a dictionary and hashing the values), a brute force attack (this is normally achieved with rule which optimises the attack), or a rainbow table (where we have pre-computing hashes that we can compare against). The usage of salt now means that the rainbow table method is not often used, but GPU and ASIC crackers mean that dictionary and brute force attacks are still a weapon against hashed passwords.

But not all the hash methods are the same. Some are extremely fast (Murmur), some are very fast (SHA-1, SHA-3, MD5) and others are extremely slow (Bcrypt, PBKDF2, and APR1).

To determine, for a base system, the speed of the hashing, we can run a Python script [here] for “The quick brown fox jumps over the lazy dog”:

Each test is done for 40 hashes, and here Bcrypt and PBKDF2 have five rounds. We can determine the equivalent hashes for give salt values and rounds:

If a hash method is fast it can be broken easier than a slower one, but one that is fast can be used to quickly hash values. For a sample run, we can now rank in classifications:

We can see, for speed, that Murmur wipes the floor with the rest, with MD5, SHA-1 and SHA-256 all coming in at around the same speed. For the slowcoaches we include Bcrypt, Oracle 10 and ARP1. With Bcrypt and PBKDF2 we have only done five rounds, so in real-life these methods would be even slower. So if you want to slow down an intruder … use Bcrypt or PBKDF2.

In the code we compute the hash 40 times and measure the time. The outline of the code used is:

A common tool used to crack hashed passwords is Hashcat, and where is can target given lengths of passwords, and commonly used password changes:


Fast is good when you have to do lots of hashing, but slow is good is you want to stop the crackers. If your company has a data breach of passwords, hopefully you will be reporting on Bcrypt hashing rather than SHA-1.

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. EU Citizen. Auld Reekie native. Old World Breaker. New World Creator.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store