Fast Hashing Passwords

Cryptographic hash functions shouldn't be used to hash passwords directly

Discuss The Problem

It's important to hash passwords before storing them, but using a cryptographic hash function directly isn't sufficient even if salt is included. Salt is intended to make it so that an attacker can't use a table of precomputed hashes of common passwords, but if your hash scheme itself is very fast to compute (as raw cryptographic hash functions are), an attacker won't need a precomputed table, as doing the computation live will be reasonable.

To demonstrate how fast cryptographic hash functions are on passwords, hash every password in the rockyou list of common passwords (14,344,391 passwords total), with sha256. Submit the password with the lowest hash value concatenated to the end of the password with the highest hash value.

Test Vector

If we take the first 10 lines of the rockyou password file
And compute their sha256 hashes
123456 -> 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
12345 -> 5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5
123456789 -> 15e2b0d3c33891ebb0f1ef609ec419420c20e320ce94c65fbc8c3312448eb225
password -> 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
iloveyou -> e4ad93ca07acb8d908a3aa41e920ea4f4ef4f26e7f86cf8291c5db289780a5ae
princess -> 04e77bf8f95cb3e1a36a59d1e93857c411930db646b46c218a0352e432023cf2
1234567 -> 8bb0cf6eb9b17d0f7d22b456f121257dc1254e1f01665370476383ea776df414
rockyou -> 4980b1f29fa32ff18c95d0ed931fd48e1ad43a729251d6eddb3cece705ed4d05
12345678 -> ef797c8118f02dfb649607dd5d3f8c7623048c9c063d532cc95c5ed7a898a64f
abc123 -> 6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090
We can see that the password with the largest and smallest hashes are
12345678 -> ef797c8118f02dfb649607dd5d3f8c7623048c9c063d532cc95c5ed7a898a64f
princess -> 04e77bf8f95cb3e1a36a59d1e93857c411930db646b46c218a0352e432023cf2
so the answer would be 12345678princess