Modern Password Cryptanalysis: How Unique Salts and Slowdown Algorithms Protect Data in the Age of Attacks and Bitcoin

Hash functions and modern methods of secure password storage: aspects of cryptanalysis

In digital systems, ensuring authentication security is closely related to the correct organization of storing user passwords. Cryptanalysis of passwords allows you to detect vulnerabilities in approaches and select optimal protection strategies, applicable, among other things, in cryptocurrency ecosystems, such as Bitcoin.

Basic Password Storage Strategies

Let’s consider existing approaches to storing passwords in a database:

Plain text is not acceptable from a security perspective.
The simplest hashing using functions like crc32, md5, sha1no longer meets modern requirements due to known vulnerabilities.
Using standard cryptographic functions : for example, functions crypt()that provide a basic level of security.
Static salt – adds the same set of characters to every password; modified constructions of the form md5(md5($pass))are not sufficient from a cryptanalytic point of view.
Unique salt for each user – provides individualization of hashing, significantly increasing the strength of the scheme 1 2 .

The problem of hash function collisions

A hash function collision is a situation in which different inputs result in the same hash value. The shorter the output of the hash function, the higher the probability of such a collision. For example, a 32-bit function crc32allows you to try out possible values much faster than a modern algorithm like SHA-2563 4 .

In the field of cryptanalysis, there are many known attacks based on collisions of legacy hash functions: successful attacks on MD5 and SHA-1 have already been carried out, so they are no longer recommended for storing passwords 3 .

Rainbow Tables and the Role of Salt

Rainbow tables are large precomputed databases of the most likely password-hash pairs. Their effectiveness increases exponentially if the hashing does not use a salt, a random string added to the password before hashing. Adding a unique salt for each user ensures that the hashes are unique, making rainbow tables virtually useless against well-implemented schemes 5 6 7 .

Example:

$password = "easypassword";
echo sha1($password);          // 6c94d3b42518febd4ad747801d50a8972022f956
$salt = "f#@V)Hu^%Hgfds";
echo sha1($salt . $password);  // cd56a16759623378628c0d9336af69b74d9d71a5

In this example, the salt and password hash are not present in the standard rainbow tables.

For added stability, it is recommended that each salt be used uniquely for the user:

function unique_salt() {
    return substr(sha1(mt_rand()),0,22);
}
$unique_salt = unique_salt();
$hash = sha1($unique_salt . $password);

Hash Rate and Its Role in Cryptanalysis

One of the paradoxes of cryptosecurity is that fast hashing is beneficial not only to an honest user, but also to an attacker: the faster the hash is calculated, the easier it is to organize a brute-force attack 1 8 9 .

For example, the average computer can generate millions of hashes per second. Even if an eight-character password seems complex (62 possible characters: lowercase + uppercase letters and numbers, for a total of 62^8 ≈ 218 trillion combinations), on modern machines, trying all the options will take a matter of hours.

The solution is to use slow hash functions that make it artificially difficult to calculate even a single password hash:

function myhash($password, $unique_salt) {
    $salt = "f#@V)Hu^%Hgfds";
    $hash = sha1($unique_salt . $password);
    for ($i = 0; $i < 1000; $i++) {
        $hash = sha1($hash);
    }
    return $hash;
}

This technique increases the strength of the password exponentially: the time required for an attack increases from hours to many years 8 .

Modern algorithms: Blowfish and bcrypt

The preferred choice for secure password storage is to use specialized algorithms such as Blowfish and bcrypt, which were originally designed to be resistant to brute force attacks and make effective use of salt and a computational complexity factor of 2 10 11 .

Example with Blowfish ( crypt()) in PHP:

function myhash($password, $unique_salt) {
    return crypt($password, '$2a$10$'.$unique_salt);
}

2a— Blowfish designation.
10— cost of calculation (2^10 rounds).

Password verification:

php$hash = '$2a$10$dfda807d832b094184faeu1elwhtR2Xhtuvs3R9J1nfRGBCudCCzC';
$password = "verysecret";

if (check_password($hash, $password)) {
    echo "Доступ разрешён!";
} else {
    echo "Доступ запрещён!";
}

function check_password($hash, $password) {
    $full_salt = substr($hash, 0, 29);
    $new_hash = crypt($password, $full_salt);
    return ($hash == $new_hash);
}

This ensures maximum protection even with significant computing resources of a potential attacker 11 2 10 .

Conclusion

Scientific analysis of password storage methods and their cryptographic strength shows that protection is based on the principles of:

Using a unique salt for each user.
Use of slow, specially designed hash functions (bcrypt, Argon2, scrypt).
Constant updating of cryptographic tools due to the emergence of new vulnerabilities and the development of computing power 2 1 8 .

These approaches are also relevant for decentralized projects like Bitcoin, where the compromise of one segment can threaten the security of the entire system.