Editing Password cracking (section)

==Prevention==
One method of preventing a password from being cracked is to ensure that attackers cannot get access even to the hashed password. For example, on the [[Unix]] [[operating system]], hashed passwords were originally stored in a publicly accessible file <code>/etc/passwd</code>. On modern Unix (and similar) systems, on the other hand, they are stored in the [[shadow password]] file <code>/etc/shadow</code>, which is accessible only to programs running with enhanced privileges (i.e., "system" privileges). This makes it harder for a malicious user to obtain the hashed passwords in the first instance, however many collections of password hashes have been stolen despite such protection.  And some common network protocols transmit passwords in cleartext or use weak challenge/response schemes.<ref>{{cite journal |title=No Plaintext Passwords |journal=Login |date=November 2001 |volume=26 |issue=7 |pages=83–91 |author=Singer, Abe |url=https://www.usenix.org/system/files/login/issues/login_nov_2001.pdf |url-status=live |archive-url=https://web.archive.org/web/20060924002626/http://www.usenix.org/publications/login/2001-11/pdfs/singer.pdf |archive-date=September 24, 2006}}</ref><ref>{{cite web |url=https://www.schneier.com/academic/archives/1998/11/cryptanalysis_of_mic.html |title=Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol |website=Schneier.com |date=July 7, 2011 |accessdate=January 31, 2013}}</ref>

The use of [[salt (cryptography)|salt]], a random value unique to each password that is incorporated in the hashing, prevents multiple hashes from being attacked simultaneously and also prevents the creation of pre-computed dictionaries such as [[rainbow table]]s.

Another approach is to combine a site-specific secret key with the password hash, which prevents plaintext password recovery even if the hashed values are purloined. However [[privilege escalation]] attacks that can steal protected hash files may also expose the site secret. A third approach is to use [[key derivation function]]s that reduce the rate at which passwords can be guessed.<ref>{{cite journal |title=SP 800-63B-3 – Digital Identity Guidelines: Authentication and Lifecycle Management |publisher=NIST |date=June 2017 |last=Grassi |first=Paul A |doi=10.6028/NIST.SP.800-63b |doi-access=free |url=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf}}</ref>{{rp|5.1.1.2}}

Modern Unix Systems have replaced the traditional [[Data Encryption Standard|DES]]-based password hashing function [[Crypt (C)|crypt()]] with stronger methods such as [[crypt (C)|crypt-SHA]], [[bcrypt]], and [[scrypt]].<ref>[http://www.usenix.org/events/usenix99/provos.html A Future-Adaptable Password Scheme]. Usenix.org (March 13, 2002). Retrieved on January 31, 2013.</ref> Other systems have also begun to adopt these methods. For instance, the Cisco IOS originally used a reversible [[Vigenère cipher]] to encrypt passwords, but now uses md5-crypt with a 24-bit salt when the "enable secret" command is used.<ref>[http://c3rb3r.openwall.net/mdcrack/download/FAQ-18.txt MDCrack FAQ 1.8]. None. Retrieved on January 31, 2013.</ref> These newer methods use large salt values which prevent attackers from efficiently mounting offline attacks against multiple user accounts simultaneously. The algorithms are also much slower to execute which drastically increases the time required to mount a successful offline attack.<ref name="usenix.org">[http://www.usenix.org/publications/login/2004-06/pdfs/alexander.pdf Password Protection for Modern Operating Systems]. Usenix.org. Retrieved on January 31, 2013.</ref>

Many hashes used for storing passwords, such as [[MD5]] and the [[Secure Hash Algorithm (disambiguation)|SHA]] family, are designed for fast computation with low memory requirements and efficient implementation in hardware. Multiple instances of these algorithms can be run in parallel on [[graphics processing unit]]s (GPUs), speeding cracking. As a result, fast hashes are ineffective in preventing password cracking, even with salt. Some [[key stretching]] algorithms, such as [[PBKDF2]] and [[crypt (C)|crypt-SHA]] iteratively calculate password hashes and can significantly reduce the rate at which passwords can be tested, if the iteration count is high enough. Other algorithms, such as [[scrypt]] are [[memory-hard function|memory-hard]], meaning they require relatively large amounts of memory in addition to time-consuming computation and are thus more difficult to crack using GPUs and custom integrated circuits.

In 2013 a long-term [[Password Hashing Competition]] was announced to choose a new, standard algorithm for password hashing,<ref>{{cite web |title=Password Hashing Competition |url=https://www.password-hashing.net/cfh.html |access-date=March 3, 2013 |url-status=dead |archive-url=https://web.archive.org/web/20130902044128/https://password-hashing.net/call.html |archive-date=September 2, 2013}}</ref> with [[Argon2]] chosen as the winner in 2015. Another algorithm, [[Balloon hashing|Balloon]], is recommended by [[National Institute of Standards and Technology|NIST]].<ref>{{cite web |url=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf |title=NIST SP800-63B Section 5.1.1.2 |website=nvlpubs.nist.gov}}</ref> Both algorithms are memory-hard.

Solutions like a [[security token]] give a {{Clarify | text = [[formal proof]] answer| date = June 2024 | reason = Unclear what this means.  Details not in the security token article either.}} by constantly shifting password. Those solutions abruptly reduce the timeframe available for [[brute-force attack|brute forcing]] (the attacker needs to break and use the password within a single shift) and they reduce the value of the stolen passwords because of its short time validity.