Subject: Password Security Measures and Enhancements

I recently conducted an assessment of our organization’s password security measures and here are the
findings and enhancements that I would like to share with you.
1. Hashing algorithm used
• The format of hashes in dump file contains 32-character hexadecimal values. These are
typically produced by MD5 i.e. Message Direct Algorithm 5.
2. Level of protection
• The use of MD5 offers low level of security. These hashes can be cracked quickly using
modern resources like hashcat, making them susceptible to brute force and dictionary
attacks. I used brute force attack and 5-6 character passwords are cracked within an hour.
It is possible to reverse-engineer the original password from its hash.
• While it takes comparatively more time in cracking longer passwords(time estimated for
cracking 7 character password is 13 hours, 41 mins) but it still can be cracked within a
day.
3. Controls to make cracking harder for hacker
• We can replace MD5 with stronger and more secure hashing algorithms such as SHA-256
or Argon2. These algorithms perform better resistance against attacks.
• Salting hashing is another technique that adds unique random values to each password
before hashing. Implementing salted hashing can significantly increase the password
security.
• We can also enforce strong password policies such that users will create strong passwords
such as password length to be minimum 8 characters, including a combination of
lowercase letters, uppercase letters and also using special characters.
• Authentication adds an additional layer of security beyond passwords.
4. Password Policy of the organization
• The hashes of passwords provided in dump file when cracked appears to be more than 4
characters i.e. minimum password length is 5 characters.
• The passwords seem to be composed of alphanumeric characters and also special
characters. It concludes that the organization’s password policy allows for a broad
character set, including lowercase letters, uppercase letters, digits and special characters.
• Some passwords are composed of only lowercase letters, or only numbers while other
passwords contain uppercase and special characters too. It indicates that there is no
enforcement or specifics of the requirements.
5. Proposed Enhancements
• Increasing the minimum password length to at least 10 characters.
• Enforcement of using complex passwords containing a mix of uppercase letters,
lowercase letters, digits and special characters.
• Implementing policies requiring users to regularly change their passwords to mitigate the
impact of password database leaks. Also ensuring that users do not use previously used
passwords.
I believe implementing these enhancements will significantly reduce the risk of unauthorized access in
event of database leak.
Best regards
Himani