What is a Hashed Password ?
Passwords are most often stored in their plaintext format or in their hashed value format in a file system or in a database. If your password was “Password” and it was stored as just “password” this would be an example of your password stored in its plaintext form.
So if you could extract the password list from your victim and the passwords were stored in their plaintext form, then you have no need to crack anything because you already know the passwords. Da tu du! But if you extracted the list of passwords or dumped the database of passwords, and they were stored in their hashed values, then it’s cracking time! But before we go any further, let’s look at the basics.
A hashed Password is the password after it has gone through a one-way mathematical process, or algorithm, producing a completely different string. So let’s say your password is “password” and you run it through the MD5 algorithm, one of the many cryptographic hash functions out there, your final outcome will be 5f4dcc3b5aa765d61d8327deb882cf99.
There is now no possible way of changing that back to the word “password”. The only way to reproduce that key combination is to either know the word and run it through the same hash function, or by trying to crack it, which is essentially the same thing.
The Login Process
Before you even go to login to one of your many password/username protected websites, you must first create your login details. So what happens when you create your login details and hit submit?
It’s pretty simple. Most websites run your password through a cryptographic hash function like the one mentioned above and then store it in a database. Here is an example of how a PHP script would hash your password before it is stores it in a database.
In the above PHP line, the script takes the password you submitted via $_POST and runs it through the MD5() cryptographic hash function, which transforms the submitted password into its MD5 hash value. Then the hash is stored in the variable $Password, which is later stored in the database.
Now that you have your login details created, next time you go to login, the PHP script will take the password you submitted, run it through the hash function, and compare it to the hash stored in the database. If the two hashes match, it means that the password submitted is the same password stored in the user database, so the website will log you in. Here’s an example in pseudo-code.