Fast Hashing Passwords
It's important to hash passwords before storing them, but using a cryptographic hash function directly isn't sufficient even if salt is included. Salt is intended to make it so that an attacker can't use a table of precomputed hashes of common passwords, but if your hash scheme itself is very fast to compute (as raw cryptographic hash functions are), an attacker won't need a precomputed table, as doing the computation live will be reasonable.
To demonstrate how fast cryptographic hash functions are on passwords, hash every password in the rockyou list of common passwords (14,344,391 passwords total), with sha256. Submit the password with the lowest hash value concatenated to the end of the password with the highest hash value.
Test VectorIf we take the first 10 lines of the rockyou password file
123456 12345 123456789 password iloveyou princess 1234567 rockyou 12345678 abc123And compute their sha256 hashes
123456 -> 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92 12345 -> 5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5 123456789 -> 15e2b0d3c33891ebb0f1ef609ec419420c20e320ce94c65fbc8c3312448eb225 password -> 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 iloveyou -> e4ad93ca07acb8d908a3aa41e920ea4f4ef4f26e7f86cf8291c5db289780a5ae princess -> 04e77bf8f95cb3e1a36a59d1e93857c411930db646b46c218a0352e432023cf2 1234567 -> 8bb0cf6eb9b17d0f7d22b456f121257dc1254e1f01665370476383ea776df414 rockyou -> 4980b1f29fa32ff18c95d0ed931fd48e1ad43a729251d6eddb3cece705ed4d05 12345678 -> ef797c8118f02dfb649607dd5d3f8c7623048c9c063d532cc95c5ed7a898a64f abc123 -> 6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090We can see that the password with the largest and smallest hashes are
12345678 -> ef797c8118f02dfb649607dd5d3f8c7623048c9c063d532cc95c5ed7a898a64f princess -> 04e77bf8f95cb3e1a36a59d1e93857c411930db646b46c218a0352e432023cf2so the answer would be