Brute force attack on a hashed password RRS feed

  • Question

  • User-2126925375 posted

    Hi, I'm trying to use a brute force attack to get the password of a hased password in my app. the sql server is local. i have removed restrictions on maxinvalid attempts and have increased the timeout to a large value. The problem is that say an hour into the process IE gives a "Page cannot be found error" (the type you get when the internet is not working) and doesn't complete the process.  The password length is 10. What could be the matter? Any help would be appreciated.

    Friday, October 16, 2009 1:28 PM


All replies

  • User-25801601 posted

    Unfortunately Hashed passwords cannot be retrieved in Clear text...well unfortunate for you anyways.  Hashed passwords aren't meant to be retrieved.

    You need to change the Password Format to Clear or Encrypted and use encryption/decryption to retrieve passwords.

    Friday, October 16, 2009 3:10 PM
  • User-2126925375 posted

    I know that Josh. You didn't understand my post correctly. I am using an aspx page to login to my app where i supply the username and password (every possible combination for a 1-10 character password. Eg. A...AA....AB...AAA...AAB....AAC etc). I check to see if validation was successfull (Membership.ValidateUser(Username, Password)). If so i redirect to a page with the to display the password.

    The problem is that the process doesn't run through completely. It just crashes after about an hour of trying. It gives a (Page cannot be displayed error) Any clues?

    Friday, October 16, 2009 3:36 PM
  • User863160722 posted

    Assuming you're using the default SHA1 hash algorithm, you might be able to build a computer which could crack one password in 56 hours - if you're willing to spend around $25M. Otherwise, you can't recover a hashed password.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, October 19, 2009 12:01 PM