Password Cracking Tutorial: Hashes, Salts & Defense

Understand how passwords are stored, how attackers guess them, and how defenders make cracking impractical.

~6 min read

Hashes 101

A hash is a one-way function that turns a password into a fixed-size string (e.g., MD5, SHA-1). Servers store the hash, not the password. If an attacker gets the database, they try to find a password that produces the same hash.

Wordlists

Attackers try common passwords from lists (“password”, “123456”, “letmein”, …) and hash each candidate.

Salts

A random string added before hashing (hash(salt + password)) to defeat rainbow tables and reuse across users.

Key Stretching

Slow, memory-hard algorithms (PBKDF2, bcrypt, scrypt, Argon2) raise cracking cost.

Example: Matching a Hash

Wordlist snippet: password 123456 qwerty letmein dragon Leaked record: user: alice algo: MD5 salt: (none) hash: 0d107d09f5bbe40cade3de5c71e9e9b7

If a wordlist candidate hashes to the same value, you’ve found the password.

Defender Playbook

Use Strong Hashing

Adopt PBKDF2, bcrypt, scrypt, or Argon2 with high iteration/cost.

Salt Every Password

Unique, random salt per user (≥ 16 bytes). Store salt alongside the hash.

Reduce Guessing

MFA, account lockouts, and strong password policies (length, complexity, block common passwords).

Ready to practice? Try the Password Cracking Challenge