Today I found a website which really scared me! I want to share that with you because I think it’s important for everyone who ever dealed with passwords.
I looked for something like a SHA256 Cracker on google to be sure that it’s not crackable.
First of all some information on SHA256, it was developed by the NSA (National Security Agency). SHA is the abbreviation for Secure Hash Algorithm and is one of the most secure hash algorithms.
A SHA256 hash has 64 hex characters so if you want to save that into you database you will need a 64 byte for a hash. With growing technologies like GPU Computing you as a programmer have to use more complex algorithms to be sure that the hashed passwords can’t be cracked.
Now to the point, LM Reverse and Hash.Db.Hk have big databases which contain already many SHA256 hashes. Mostly they can only crack simple ones but the new technologies will help the crackers to guess or maybe even reverse hashes.
I would really recommend you all to use SHA512. Performance should not be a reason for you to not use SHA512. Here is a little comparison between the hashes, all calculation times are in milliseconds. The times were measured on a laptop, so on a productive webserver it is even faster!
|Hash||Calculation in ms|
These calculation times are from PHP.NET so as you can see SHA512 takes twice as long as SHA256 for calculation but your applications will be more secure! SHA512 has 128 hex characters and I haven’t found any database yet which you can use to get the plaintext from a hash. The only way to crack a SHA512 is by using a password dictionary and for this I would recommend you to use a SALT.
The SALT should contain special characters like ‘$’, ‘%’, ‘&’ and so on. With the special characters it is much harder for a cracker to crack the hashes with dictionaries!
Here an example of hashing with SHA512 and a SALT.
$Algo = "sha512"; $Salt = "!§$%&/()=?"; $Password = "Hello"; echo $Password; echo hash($Algo, $Salt.$Password.$Salt);
This will give you the following output…
Nice heh? 128 hex characters! =D
I hope you enjoyed this article and you will try to use SHA512 instead of MD5, SHA1 or SHA256!