2

Does the kind of algorithm used to hash passwords have any advantages or disadvantages in a dictionary attack? i.e. SHA256, MD5, etc. or is it just the dictionary that is used by the attacker matters?

As far as I can understand, the hashing algorithm does not have any effect on protection against the dictionary attack like John the ripper.

schroeder
  • 125,553
  • 55
  • 289
  • 326
gg0092
  • 21
  • 3

2 Answers2

6

In brute force dictionary attacks the speed of the algorithm essentially defines how many passwords can be checked within a specific time. The fewer passwords can be checked the better the algorithm protects against brute force. That's why proper password hashing algorithms are deliberately slow, unlike plain MD5 or SHA256.

Additionally proper password hashes use a random salt so that it is impossible to reuse a precalculated mapping between password and hash.

For more see How to securely hash passwords?.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
5

The hashing algorithm can determine how many hashes per minute the attacker can attempt (speed).

The success rate of cracked hashes is determined by the "quality" of the dictionary and any mutation rules and the strength of the users passwords.

A faster algorithm can afford an attacker to use a larger dictionary or use broader rules which can increase the likelihood of successfully cracking more passwords in the same amount of time.

The best protection against offline attacks (brute force and dictionary) is to use a time costly hashing algorithm like script, pbkdf2 or bcrypt.

wireghoul
  • 5,755
  • 2
  • 17
  • 26