Hashcat vs. Phpass

I just opened my blog here. As a starter I serve some hot and spicy binaries. Since the end of the last year (christmas eve to be precise) hashcat went public. It is an advanced password recovery software and supports the older and the current wordpress hashing algorithm called Phpass.

I first came in touch with Phpass hashing in a ticket some month ago. Phpass has been developed by Solar Designer creator of the Openwall Project and maybe more important in this case a password cracker named John the Ripper.

WordPress switched to Phpass in version 2.5. It was reported since version 2.0 that storing passwords only as md5($pass) is much way too easy to protect those properly. Phpass therefore does not only salting but is portable as well.  So finally in december 2007 per  changeset 6396 Phpass went in.

Video by iXpLiZiT

What’s the deal? How does Phpass affects password protecting then? Simple answer: it adds a salt to the hash. And it does not only add it once but many, many, many times. The difference is enormous, that algorithm is quite expensive in fact. This results in much more processing operations if you want to recover passwords from hashes. It is so expensive in CPU usage that  other projects like phpbb did actually choose a smaller iteration count on hash generation. And I had the idea to just develop a DOS attack on wordpress by triggering hash generation over and over again which really must load up a lot. Until today I have not made up my mind further about it, but this might be something to consider to find out if there is need for a hardening.

Anyway since that date password hashing has become much more secure with wordpress. You can give the hashcat a testdrive and test against both md5 and phpass to actually feel the difference.  It ships as binary for Linux and Windows or as a Windows GUI (Wine supported), free.

And the best tip for your password: Get a random one that’s long enough, not below 10 characters. It’s actually better to  consider 24 characters for your password length or even more.

This entry was posted in Hacking The Core, Tools and tagged , , , , , . Bookmark the permalink.

1 Response to Hashcat vs. Phpass

  1. Pingback: Zajímavé články o WordPressu (v angličtině) « Fórum podpory WordPressu

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.