Making already hashed wordlists of all possible combinations



  • Let us imagine a situation where a company stores its user passwords (let's ignore salts, etc for now) using some hash (say sha256) and the company gets breached. All of the username and password details are now public. The passwords are hashed, thanks to the hashing algorithm.

    Now someone with ill intent gets their hands on that credential database. Looking at the hashes, they identify the hash. Now what they do is check the minimum required password length (from the user registration page) and create a new word list of all the possible passwords in that range in their hashed format. That is, they now have an equivalent wordlist but in an already hashed format.

    1. Is it totally pointless to create such a hashed wordlist?
    2. Would it help saving time in cracking passwords in the long run?


  • There are a few pointy to consider here.

    1. When storing passwords yourself you should take a look at this cheat sheet to do it properly: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

    2. It is considered bad practice to just hash a password with SHA-256. SHA-256 is designed to be fast, that is not a property that is desired for a password hashing function. See the cheat sheet above for recommendations.

    3. When storing the hash of a password you usually want to add a salt to. This is what prevents the attack that you are suggesting, so I don't see why you want to "ignore shings like salt etc.". The salt for two different passwords is most likely different, therefore the attacker can only crack the passwords one by one as he needs to append the salt to the beginning of the password.

    So yes, if the passwords were not salted this could be done, at least in theory. It would be considered a "brute-force-attack" and you would need a lot of computation time to get to the longer passwords, 8 character passwords should be cracked in no time though.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2