Password Security: How to make "password" a Secure Password from even the best Supercomputers

kryzsec (59)in #password • 6 years ago

Too often I see a lot of solutions to making passwords more secure involving adding random characters or using a series of multiple words and having it be obscure to the point that it becomes difficult to remember but being more computer literate I had come up with a different method of making passwords for accounts that I cared about.. and with it you can use a password as simple to remember as "password" and it can be deemed strong and secure, even by experts.

Screenshot from HSIMP

Then why does it say it would be racked instantly?

Look this is going to seem strange at first but there is going to be one step before we enter our password into a website, and that is to take a detour and hash it first. But what is a hash? Okay I know most people reading this are not going to need an explanation of what a hashing algorithm is but just in case I will explain a basic definition of a hash. A hashing algorithm is a mathematical remapping of information that can work in one direction, ideally it cannot be reversed but given enough computational power, well... So why would we hash it first, well I will show you.

Screenshot from

Now for this you may realize that this password used isn't "password" but rather "facebook_password", or in otherwords you can easily create a unique passworrd for every website by taking the site name and adding "_password" to it before hashing making an easy to remember and unique hash for each of these websites. I mean, I know its hard to see, but "facebook_password" became 75A9838960CB66A9647B4EEC2FDD912B10E7A071A2D1242B70C0494D9DA5AD5C which using the How Secure Is My Password you can see will deem this easy to generate password as very secure.

Now if you are someone that knows anything about this you will immediately come over and say something like "But this could be something easily implemented into any password cracking software making these passwords weak." which is where I bring p this list here as people could use any of these or even, if they knew any programming, work to build a variation of one of these that works differently slightly as to produce a slightly different hash. Yes, this is a method that will benefit those with a little more computer literacy but a lot of the people that are computer literate enough to do this also use bad passwords all of the time so at least this will provide an extra layer of obscurity against attack. I mean if they have to check each password 30+ times (29 of which are hashing it with different hashing algorithms before hashing for the final time) then we are looking at a vast increase in time in order to actually crack entire password lists, not to mention that this method can be used in conjunction with other methods adding obscurity with random characters or using multiple words or something. For instance you could make your password: "measure833681seerestthe24squarebetter22whilehundred" hashes to "528AFFB1B9275FFB10B24AEDC64C993395EC9289F87EAD6501E3F577E934C001"

By the way, these passwords have 247.2 bits meaning it will take 2^247.2 guesses and assuming it could produce around 1,000,000 guesses (hashes) per second then you would be waiting around 8*10⁶⁰ years for it to be guessed, roughly.

References: