How to Crack SHA1 password hashes – online Crackstation – Visual guide
If you have a SHA1 hash, then you can use Crackstation online to crack the password. Let me show you password cracking for real.
Step 1 – Calculate a SHA1 hash
Use the miracle salad website, to calculate your SHA1 hash
Enter “password” and the site will calculate the SHA1 hash.
Step 2 – Copy the hash
Step 3 – Crackstation online – Free Password Hash Cracker
Paste the hash into Crackstation online and enter the Captcha
The green colour shows the hash was instantly decrypted. This is why “password” and easy passwords such as “12356” are so dangerous.
Crackstation allows you to download their wordlist. Be warned, the file sizes involved are loarge.
Step 4 – Download Crackstation dictionaries
CrackStation uses massive pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash. The hash values are indexed so that it is possible to quickly search the database for a given hash. If the hash is present in the database, the password can be recovered in a fraction of a second. This only works for “unsalted” hashes. For information on password hashing systems that are not vulnerable to pre-computed lookup tables, see our hashing security page.
Crackstation’s lookup tables were created by extracting every word from the Wikipedia databases and adding with every password list we could find. We also applied intelligent word mangling (brute force hybrid) to our wordlists to make them much more effective. For MD5 and SHA1 hashes, we have a 190GB, 15-billion-entry lookup table, and for other hashes, we have a 19GB 1.5-billion-entry lookup table.
As you can see, cracking password hashes is like a game of snap. The hash is “looked up” and the plain text password is returned to you.
CrackStation’s Password Cracking Dictionary
I am releasing CrackStation’s main password cracking dictionary (1,493,677,782 words, 15GB) for download.
What’s in the list?
The list contains every wordlist, dictionary, and password database leak that I could find on the internet (and I spent a LOT of time looking). It also contains every word in the Wikipedia databases (pages-articles, retrieved 2010, all languages) as well as lots of books from Project Gutenberg. It also includes the passwords from some low-profile database breaches that were being sold in the underground years ago.
The format of the list is a standard text file sorted in non-case-sensitive alphabetical order. Lines are separated with a newline “\n” character.
You can test the list without downloading it by giving SHA256 hashes to the free hash cracker or to @PlzCrack on twitter. Here’s a tool for computing hashes easily. Here are the results of cracking LinkedIn’s and eHarmony’s password hash leaks with the list.
The list is responsible for cracking about 30% of all hashes given to CrackStation’s free hash cracker, but that figure should be taken with a grain of salt because some people try hashes of really weak passwords just to test the service, and others try to crack their hashes with other online hash crackers before finding CrackStation. Using the list, we were able to crack 49.98% of one customer’s set of 373,000 human password hashes to motivate their move to a better salting scheme.
What hash algorithm should I use?
- Well-designed key stretching algorithms such as PBKDF2, bcrypt, and scrypt.
- OpenWall’s Portable PHP password hashing framework
- My implementations of PBKDF2 in PHP, C#, Java, and Ruby.
- Secure versions of crypt ($2y$, $5$, $6$)
DO NOT use:
- Fast cryptographic hash functions such as MD5, SHA1, SHA256, SHA512, RipeMD, WHIRLPOOL, SHA3, etc.
- Insecure versions of crypt ($1$, $2$, $2x$, $3$).
- Any algorithm that you designed yourself. Only use technology that is in the public domain and has been well-tested by experienced cryptographers.
Even though there are no cryptographic attacks on MD5 or SHA1 that make their hashes easier to crack, they are old and are widely considered (somewhat incorrectly) to be inadequate for password storage. So I don’t recommend using them. An exception to this rule is PBKDF2, which is frequently implemented using SHA1 as the underlying hash function.