Editing Cryptographic hash function (section)

== Attacks on hashed passwords ==
{{main|Password cracking}}
Rather than store plain user passwords, controlled-access systems frequently store the hash of each user's password in a file or database. When someone requests access, the password they submit is hashed and compared with the stored value. If the database is stolen (an all-too-frequent occurrence<ref name="jjUS1">{{cite news|url=https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html|title=The 15 biggest data breaches of the 21st century|first=Dan|last=Swinhoe|first2=Michael|last2=Hill|publisher=CSO Magazine|date=April 17, 2020|access-date=November 25, 2020|archive-date=November 24, 2020|archive-url=https://web.archive.org/web/20201124152328/https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html|url-status=live}}</ref>), the thief will only have the hash values, not the passwords.

Passwords may still be retrieved by an attacker from the hashes, because most people choose passwords in predictable ways. Lists of common passwords are widely circulated and many passwords are short enough that even all possible combinations may be tested if calculation of the hash does not take too much time.<ref name="2tECU">{{cite web | url=https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ | title=25-GPU cluster cracks every standard Windows password in <6 hours | date=2012-12-10 | first=Dan | last=Goodin | publisher=[[Ars Technica]] | access-date=2020-11-23 | archive-date=2020-11-21 | archive-url=https://web.archive.org/web/20201121132005/https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ | url-status=live }}</ref>

The use of [[Salt (cryptography)|cryptographic salt]] prevents some attacks, such as building files of precomputing hash values, e.g. [[rainbow table]]s. But searches on the order of 100 billion tests per second are possible with high-end [[graphics processor]]s, making direct attacks possible even with salt.<ref name="28vy8">{{Cite web|url=https://www.theregister.co.uk/2019/02/14/password_length/|title=Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs|last=Claburn|first=Thomas|date=February 14, 2019|website=The Register|language=en|access-date=2020-11-26|archive-date=2020-04-25|archive-url=https://web.archive.org/web/20200425091602/https://www.theregister.co.uk/2019/02/14/password_length/|url-status=live}}</ref>
<ref name="TbJcd">{{cite web|url=https://improsec.com/tech-blog/mind-blowing-gpu-performance|title=Mind-blowing development in GPU performance |publisher=Improsec|date=January 3, 2020 |url-status=live |archive-url=https://web.archive.org/web/20230409171025/https://improsec.com/tech-blog/mind-blowing-gpu-performance |archive-date= Apr 9, 2023 }}</ref>
The United States [[National Institute of Standards and Technology]] recommends storing passwords using special hashes called [[key derivation function]]s (KDFs) that have been created to slow brute force searches.<ref name="sp800-63B">{{cite book | title = SP 800-63B-3 – Digital Identity Guidelines, Authentication and Lifecycle Management | publisher = NIST | date = June 2017 | doi=10.6028/NIST.SP.800-63b | author=Grassi Paul A.}}</ref>{{rp|5.1.1.2}}  Slow hashes include [[pbkdf2]], [[bcrypt]], [[scrypt]], [[argon2]], [[Balloon hashing|Balloon]] and some recent modes of [[crypt (C)|Unix crypt]]. For KDFs that perform multiple hashes to slow execution, NIST recommends an iteration count of 10,000 or more.<ref name="sp800-63B" />{{rp|5.1.1.2}}