Skip to main content
Penetration Testing
CHAPTER 13

Secure Password Practices and Hashing

Updated: May 15, 2026
20 min read

# CHAPTER 13

Secure Password Practices and Hashing

1. Introduction

Humans are terrible at creating random passwords, and they are even worse at remembering them. As a result, people use "Password123" across 50 different websites. When one obscure forum is hacked and the database is leaked, attackers take those stolen passwords and try them on banking and corporate VPN portals—an attack known as "Credential Stuffing." In this chapter, we will dive into the cryptography of authentication. We will explore how databases are supposed to store passwords securely using Hashing and Salting, how attackers crack these hashes using tools like Hashcat, and the enterprise policies required to neutralize credential theft.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Differentiate between Encryption, Encoding, and Hashing.
  • Understand the mechanics of a Cryptographic Hash Function (e.g., SHA-256).
  • Explain the purpose of a "Salt" in defeating Rainbow Table attacks.
  • Understand how offline password cracking tools (Hashcat, John the Ripper) operate.
  • Implement secure enterprise authentication policies (MFA, Password Managers).

3. Beginner-Friendly Explanation

Imagine a meat grinder.
  • Hashing: You put a steak (The Password) into the grinder and turn the handle. Ground beef (The Hash) comes out. It is mathematically impossible to take the ground beef, put it back in the grinder, turn the handle backwards, and get the original steak back. Hashing is a one-way function.
  • Authentication: When a user creates an account, the server grinds the password into a hash and saves the hash in the database. When the user logs in tomorrow, they type their password. The server grinds it again. If the new ground beef looks exactly like the saved ground beef, the server knows the user typed the right password.

The server *never* knows what the actual password is. If a hacker steals the database, they only get a list of useless ground beef (Hashes).

4. Hashing vs Encryption vs Encoding

This is the most common confusion in cybersecurity:
  • Encoding (e.g., Base64): Not security. Just translating data into a different format so computers can read it. Easily reversible.
  • Encryption (e.g., AES-256): Scrambling data with a secret Key. If you have the key, you can reverse it back to the original data (Two-way).
  • Hashing (e.g., SHA-256, Bcrypt): A mathematical algorithm that turns any data into a fixed-length string of characters. Irreversible (One-way). Passwords MUST be hashed, never encrypted.

5. How Hackers "Crack" Hashes

If a hash is irreversible, how do hackers steal passwords from a leaked database? They don't reverse the hash. They use Offline Dictionary Attacks.
  1. 1. The hacker steals a hash: 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
  1. 2. The hacker takes a massive dictionary of 10 billion common passwords.
  1. 3. The hacker's high-powered graphics card (GPU) hashes the word "apple". Does it match? No.
  1. 4. It hashes the word "password". Does it match? Yes. The hacker now knows the password.

Modern GPUs can guess billions of hashes per second. This is why complex, long passwords are required.

6. Mini Project: Implement Secure Password Policy

To slow down hackers, developers must use a slow hashing algorithm like Bcrypt, and they must add a Salt. A Salt is a string of random characters added to the password *before* it is hashed, ensuring that even if two users have the password "Password123", their resulting hashes look completely different, defeating pre-computed "Rainbow Tables".

Secure PHP Implementation Example:

php
1234567 
// SECURE CODE: Creating a user account
$userPassword = "MySuperSecretPassword!";

// password_hash() automatically generates a random Salt and uses the secure Bcrypt algorithm.
$secureHash = password_hash($userPassword, PASSWORD_BCRYPT);

// Save $secureHash to the database. NEVER save $userPassword.
php
12345678910 
// SECURE CODE: Verifying a login attempt
$inputPassword = $_POST['login_password'];
$databaseHash = get_hash_from_db($username);

// Verify the input matches the saved hash
if (password_verify($inputPassword, $databaseHash)) {
    echo "Login successful!";
} else {
    echo "Invalid credentials.";
}

7. Real-World Scenarios

In 2012, LinkedIn was breached, and 117 million passwords were stolen. The catastrophe occurred because LinkedIn was storing passwords using the SHA-1 algorithm *without a salt*. SHA-1 is extremely fast. Hackers used powerful computers to rapidly guess the passwords, cracking millions of them in days. Users who used the same password for LinkedIn and their personal email suddenly found their bank accounts compromised. Had LinkedIn used a slow, salted algorithm like Bcrypt, the hackers would have needed centuries of computing power to crack the hashes, rendering the stolen database virtually useless.

8. Best Practices

  • Multi-Factor Authentication (MFA): The harsh reality is that users will always choose bad passwords, or they will be tricked into giving them away via Phishing. Organizations must assume passwords will be compromised. MFA (requiring a code from an authenticator app or a hardware security key like a YubiKey) ensures that even if an attacker has the perfect, cracked password, they still cannot access the account.

9. Security Recommendations

  • Password Managers: The human brain cannot remember 50 unique, 16-character passwords. Cybersecurity professionals do not try to. They use a Password Manager (like Bitwarden or 1Password) to generate incredibly complex, random passwords for every single website. They only have to remember one "Master Password" to unlock the vault.

10. Troubleshooting Tips

  • Password Expiration Policies: Legacy IT policies forced users to change their passwords every 90 days. NIST (National Institute of Standards and Technology) now explicitly advises *against* this. Forcing expiration causes humans to use weaker passwords and just add a number to the end (e.g., PasswordFall!, PasswordWinter!). Passwords should only be changed if there is evidence of a compromise.

11. Exercises

  1. 1. What is the fundamental mathematical difference between Encryption and Hashing?
  1. 2. Explain the purpose of a Cryptographic "Salt". How does it protect a database against Rainbow Table attacks?

12. FAQs

Q: What is a Rainbow Table? A: A Rainbow Table is a massive, pre-computed database containing millions of common passwords and their corresponding hashes. Instead of doing the math to guess a hash, an attacker just looks it up in the table, cracking the password instantly. "Salting" a password makes Rainbow Tables useless because the salt changes the math for every single user.

13. Interview Questions

  • Q: Differentiate between Hashing, Encoding, and Encryption. Provide a specific scenario in web application development where each would be appropriately utilized.
  • Q: Explain the mechanics of an offline Dictionary Attack against a stolen password hash database. Why are fast hashing algorithms (like MD5 or SHA-1) considered catastrophic vulnerabilities when used for password storage?

14. Summary

In Chapter 13, we demystified the cryptography of authentication. We clarified the critical distinction between reversible Encryption and irreversible Hashing. We explored the mechanics of offline password cracking, realizing that the security of a database relies entirely on the mathematical slowness of algorithms like Bcrypt and the randomizing power of Cryptographic Salts. We acknowledged the inherent flaw of human memory, emphasizing the mandatory adoption of Password Managers and Multi-Factor Authentication (MFA) to construct a robust, defense-in-depth posture against credential stuffing and phishing attacks.

15. Next Chapter Recommendation

We have secured the application, the network, and the passwords. But what happens when the entire infrastructure is hosted on computers you don't physically own? Proceed to Chapter 14: Cloud Security Fundamentals.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Network Security Assessment Basics
Next Chapter Security Monitoring and Logging

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5