Information Security Stack Exchange is a question and answer site for information security professionals. It only takes a minute to sign up.
Sign up to join this community
Anybody can ask a question
Anybody can answer
The best answers are voted up and rise to the top
So let us imagine a situation where a company (say xyz) stores its user passwords(let’s ignore salts, etc for now) in some hash (say sha256) and xyz gets breached. All of the username and password details are now public. The passwords are hashed, thanks to the hashing algorithm. Now someone with ill intent gets their hands on that username password wordlist. Looking at the hashes, they identify the hash. Now what they do is check the minimum required password length (from the user registration page) and create a new word list of all the possible passwords in that range in their hashed format. That is, they now have an equivalent wordlist but in an already hashed format.
- Is it totally pointless to create such a hashed wordlist?
- Would it help saving time in cracking passwords in the long run?
There are a few pointy to consider here.
When storing passwords yourself you should take a look at this cheat sheet to do it properly: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
It is considered bad practice to just hash a password with SHA-256. SHA-256 is designed to be fast, that is not a property that is desired for a password hashing function. See the cheat sheet above for recommendations.
When storing the hash of a password you usually want to add a salt to. This is what prevents the attack that you are suggesting, so I don’t see why you want to “ignore shings like salt etc.”. The salt for two different passwords is most likely different, therefore the attacker can only crack the passwords one by one as he needs to append the salt to the beginning of the password.
So yes, if the passwords were not salted this could be done, at least in theory. It would be considered a “brute-force-attack” and you would need a lot of computation time to get to the longer passwords, 8 character passwords should be cracked in no time though.