Because of programmers like myself, and other security enthusiasts, website admins are forced to store their users passwords in hashes. What this means is, when a user registers a new account, and types in their password, that password is stored somewhere. That being said, this password is usually stored in a hashed format as a last ditch effort to thwart would be hackers. So if a hacker does wind up getting a hold of the passwords database, another level of complexity will still have to be overcome in order to crack the passwords.
So, for example, say you signed up for a site using the username admin, and password “password”, this password would hashed using a algorithm such as SHA-256, and would turn into
A password cracker attempts guess what a password hash is, and iterate through a list of passwords, hashing each one and seeing if they match.
Say we find the password hash:
This is “dolphin4” hashed with SHA-256.
And we have our password list:
1 password 2 hacker123 3 tomatojuice 4 dolphin123 5 dolphin4 ...
Parsing the List
Next, we write the Python to parse this password list. You can download a password list here.
Open the file with Python:
f = open('passwords.txt')
Iterate through each line of the password file:
for line in f.readlines():
Split the word by the space character, so the password number is not included:
word = line.split(' ')[-1] clean_word = word.strip('\n').strip('\r')
These lines of code will take each line in the password file, and make it a clean string ready to be hashed.
Hashing the Passwords
Finally, we utilize the hashlib Python library that comes standard with all Python installs.
import hashlib m = hashlib.sha256(clean_word).hexdigest()
The code above takes each clean_word and hashes it with SHA-256
Then, it checks if any of the password hashes with SHA-256 match the target hash of “dolphin4”
if m.upper() == target_hash: print "Hash found: " + clean_word break else: print "trying: " + str(m)
Putting it all together
import hashlib target_hash = '`f8316c64124b33fa65cd20865a784604cad395a55657b33c411f5137ea77a535`' f = open('passwords.txt') for line in f.readlines(): word = line.split(' ')[-1] clean_word = word.strip('\n').strip('\r') m = hashlib.sha256(clean_word).hexdigest() if m.upper() == target_hash: print "Hash found: " + clean_word break else: print "trying: " + str(m)
If any of the hashed passwords match the target hash, Python will notify you with the password.