How do crackers determine number of iterations of a Hashing algorithm?

Question

Does a cracker need to know the number of iterations a hashing algorithm uses to compute a hash?

If they don't know it, how do they figure it out? How much longer does it take to figure it out, than if they didn't know?

I can only guess that they try a number of the most common passwords, and try it with different iterations, and see what amount of iterations returns the most correct passwords. Would this even work though?

I'm not a security expert, but it seems to me that a good security system should be difficult to defeat even if the algorithm is open-source. — Robert Harvey, Feb 07 '14 at 21:31
this has most likely been already asked and answered at Security.SE - they've got about 500 questions in the 'hash' tag — gnat, Feb 07 '14 at 21:42
@RobertHarvey if you're curious, migrate and see how regulars will close it as a dupe there, possibly along with voting down for apparent lack of effort. What is considered a reasonably high iteration count? — gnat, Feb 07 '14 at 21:59

score 4 · Answer 1 · edited Feb 07 '14 at 21:34

4

The usual attack models assume that the attacker knows the exact algorithm used and the only unknown is (in the case of hashing-to-hide-plaintexts) the plaintext. In short, the enemy already knows the system.

Sometimes this gives the attacker too much credit, but that's better then underestimating them. Since password hashes are typically retrieved by breaking into a production server, it's likely that the application source code (which includes a full specification of the hashing procedure used) was grabbed at the same time. In other cases, the source code is open to begin with.

edited Feb 07 '14 at 21:34

Robert Harvey

199,517

answered Feb 07 '14 at 21:32

Even if the source code wasn't grabbed, the algorithm and iterations used to create a password hash will often be saved together with it in the database - this makes it easy to change hashing strategy without immediately recalculating all hashes. – Jacob Raihle Jul 12 '19 at 07:16

score -4 · Answer 2 · answered Feb 07 '14 at 21:36

-4

Unless you implement hashing algorithm on server side, and use some non-standard algorithm, Everything about hashing algorithm is known to hacker. if implemented on client side, it can be reverse engineered, even if you use non-standard algorithm, or obfuscate a standard algorithm.

answered Feb 07 '14 at 21:36

Israr Khan

101

5

A non-standard algorithm implemented on the server does not hinder an attacker. That belief is security through obscurity and the reasons it's bad are too numerous to list in a single answer let alone comment. – Feb 07 '14 at 21:39
2

One of the most fundamental concepts behind security is to use algorithms that are just as effective even if they are known to the attacker. – user16764 Feb 07 '14 at 22:24

How do crackers determine number of iterations of a Hashing algorithm?

2 Answers2