GithubHelp home page GithubHelp logo

phauis's Introduction

Password Hashing Algorithms used in Software pronounced as [faus] (with a silent i) is a simple overview of password hashing algorithms used in software with authentication capabilities.

πŸ‘‰The goal is to evaluate the security of the algorithms used in the respective program.

PHAuiSπŸ”‘

❔ Rating is based on:
* in combination with another symbol

  • Currently one of the best*: βœ”οΈ
  • Good but not perfect: 🟒
  • Moderate: 🟑
  • Bad: πŸ”΄
  • Couldn't be worse*: ❌

italic entry = legacy or outdated source

Overview about typical algorithms and their rating
PH-Algorithm Rating Explanation
Argon2(i/d/id) (with/without Salt) πŸŸ’βœ”οΈ State-of-the-Art (Winner of Password Hashing Competition) [1] [2] [Git]
Yescrypt (with/without Salt) πŸŸ’βœ”οΈ Password Hashing Competition finalist with special recognitions [1] [2]
Catena (with/without Salt) πŸŸ’βœ”οΈ kind of scrypt, Password Hashing Competition finalist with special recognitions [1] [2]
Lyra2 (with/without Salt) πŸŸ’βœ”οΈ Password Hashing Competition finalist with special recognitions [1] [2]
Makwa (with/without Salt) πŸŸ’βœ”οΈ Password Hashing Competition finalist with special recognitions [1] [2]
Pufferfish (with/without Salt) 🟒 kind of blowfish, Password Hashing Competition finalist [1] [2]
bcrypt (with/without Salt) 🟒 kind of blowfish, crypt ($2a), [1] [2]
scrypt (with/without Salt) 🟒 [1] [2]
PBKDF2 (with Salt and/or high key-stretching) 🟒 [1] [2] [3]
SHA2/3 (with Salt and/or key-stretching) 🟒 crypt ($5, $6), [1]
Blake2b (with Salt and/or key-stretching) 🟒 [1]
PBKDF2 (without Salt and with high key-stretching) 🟑🟒
SHA2/3 512 bit (without Salt) 🟑🟒
Blake2b 512 bit (without Salt) 🟑🟒
SHA2/3 256 bit (without Salt) 🟑
RIPEMD-160 (with Salt and/or key-stretching) πŸ”΄πŸŸ‘ [1] [2]
SHA1 (with Salt and/or key-stretching) πŸ”΄πŸŸ‘ collission + length extension attacks [1] [2] [3]
MD5 (with Salt and/or key-stretching) πŸ”΄πŸŸ‘ crypt ($1), collission + length extension attacks [1] [2]
RIPEMD-160 (without Salt) πŸ”΄
SHA1 (without Salt) πŸ”΄
MD5 (without Salt) πŸ”΄
GOST (without Salt) πŸ”΄ collission + preimage attacks [1]
MD4 (without/with Salt and/or key-stretching) πŸ”΄βŒ Rainbow Tables available, Collission Attacks [1]
NTLM-Hash πŸ”΄βŒ Based on MD4 without key-stretching, Salt, ..., [1]
DES πŸ”΄βŒ obsolete Encryption-Algorithm, [1]
LM-Hash πŸ”΄βŒ Rainbow Tables available, Collission Attacks, [1] [2]
CRC32 πŸ”΄βŒ just a error-detecting code
General: Any Encryption Algorithm πŸ”΄ Encryption Key is somewhere on the system?!?

Web-Applications / Software

Program name Versions PH-Algorithm β†’ Rating Sources Extras + Date accessed
Adobe - 3DES using ECB Mode β†’ πŸ”΄βŒ [1] password leak of 2013
β†’ 19-02-2024
Aegis Authenticator all scrypt β†’ 🟒 [1] β†’ 19-02-2024
Ansible all MD5, blowfish β†’ πŸ”΄
SHA256, SHA512 (default) (with Salt) β†’ 🟒
[1] β†’ 19-02-2024
Bareos all MD5 β†’ πŸ”΄ [1] β†’ 19-02-2024
Bitwarden, Vaultwarden all PBKDF2 (with Salt and/or key-stretching (default: 600.000)) β†’ 🟒
or Argon2id (64MiB, 3 times, 4 threads) β†’ πŸŸ’βœ”οΈ
[1], [2] Salt is username/e-mail
β†’ 19-02-2024
CheckMK >2.1.0p16 >2.2.0b1 bcrypt β†’ 🟒
SHA256 (with Salt and/or key-stretching) β†’ 🟒
[1] β†’ 19-02-2024
CheckMK <=2.1.0p16 <=2.2.0b1 DES β†’ πŸ”΄βŒ
MD5 (with Salt and/or key-stretching) β†’ πŸ”΄πŸŸ‘
SHA256 (with Salt and/or key-stretching) β†’ 🟒
[1] β†’ 19-02-2024
Drupal all based on PHP password_hash() (default: bcrypt) β†’ 🟒 [1] β†’ 19-02-2024
FileGator all bcrypt (without Salt) β†’ 🟒 [1] β†’ 19-02-2024
Froxlor >= 2.0.0 bcrypt β†’ 🟒
Argon2(i,id) β†’ πŸŸ’βœ”οΈ
[1] versions <2.0.0 uses Linux crypt() (see Linux section)
β†’ 19-02-2024
Gitea all bcrypt, scrypt, PBKDF2 (with Salt) β†’ 🟒
Argon2 with Salt, time=2, memory=64*1024, threads=8, keyLen=50 β†’ πŸŸ’βœ”οΈ
[1] β†’ 19-02-2024
Gophish all bcrypt (without Salt) β†’ 🟒 [1] β†’ 19-02-2024
ILIAS e-Learning >5.(0,1,2).X bcrypt (with/without Salt) β†’ 🟒 [1] β†’ 19-02-2024
ILIAS e-Learning <5.(0,1,2).X MD5 without Salt β†’ πŸ”΄ [1] β†’ 19-02-2024
ISPconfig all crypt Linux defaults β†’ πŸ”΄πŸŸ‘ or 🟒 β†’ 19-02-2024
Joomla >4.0.0 MD5 (without Salt) β†’ πŸ”΄
bcrypt (default) β†’ 🟒
Argon2(i, id) β†’ πŸŸ’βœ”οΈ
[1] β†’ 19-02-2024
KeePass >2.X AES-KDF β†’ πŸ”΄
Argon2(d, id) β†’ πŸŸ’βœ”οΈ
[1] β†’ 19-02-2024
LastPass - PBKDF2 key-stretching 100.100 β†’ 🟒 [1] β†’ 19-02-2024
LDAP ? SHA1, MD5 with and without Salt β†’ πŸ”΄, πŸ”΄πŸŸ‘
Linux crypt(3) (MD5, Blowfish, SHA2 (256, 512 bit)) with Salt and Key stretching β†’ πŸ”΄πŸŸ‘ up to 🟒
[1] [2] [3] official RFC specifies no encryption/hash
β†’ 19-02-2024
Mastodon all bcrypt β†’ 🟒 [1] β†’ 19-02-2024
Mediawiki >=? - <1.33 MD5 (with/without Salt) β†’ πŸ”΄, πŸ”΄πŸŸ‘
PBKDF2, bcrypt (with/without Salt) β†’ 🟒
[1] β†’ 03-03-2024
Mediawiki >=1.33 MD5 (with/without Salt) β†’ πŸ”΄, πŸ”΄πŸŸ‘
PBKDF2, bcrypt (with/without Salt) β†’ 🟒
Argon2(i, id) β†’ πŸŸ’βœ”οΈ
[1] β†’ 03-03-2024
Moodle <2.3 MD5 β†’ πŸ”΄ [1] β†’ 19-02-2024
Moodle 2.3 - 4.3 MD5 β†’ πŸ”΄
bcrypt (with Salt) β†’ 🟒
[1] β†’ 19-02-2024
Moodle >=4.3 bcrypt (with Salt) β†’ 🟒
SHA512 (with Salt and key-stretching) β†’ 🟒
[1] β†’ 19-02-2024
MySQL <4.1 custom 16 Byte construct (broken) β†’ πŸ”΄βŒ [1] β†’ 19-02-2024
MySQL/MariaDB mysql_native_password (default plugin) > MySQL 4.1 SHA1 construct with Salt and minimal key-stretching β†’ πŸ”΄πŸŸ‘ [1], [2] low key-stretching value, better algorithms available (ed25519 based, sha256 construct) [3] but not default, [4], this algorithm can be exploited [5]
β†’ 19-02-2024
Nextcloud all bcrypt (without Salt) β†’ 🟒 [1] β†’ 19-02-2024
Microsoft Office 2007 SHA1 (with key-stretching 50.000) β†’ πŸ”΄πŸŸ‘ [1] β†’ 04-04-2024
Microsoft Office 2010 SHA1 (with key-stretching 50.000) β†’ πŸ”΄πŸŸ‘ [1] β†’ 04-04-2024
Microsoft Office 2013 SHA1 (with key-stretching 100.000) β†’ πŸ”΄πŸŸ‘
SHA512 (with key-stretching 100.000) β†’ 🟒
[1] β†’ 04-04-2024
Microsoft Office >= 2016 SHA512 (with key-stretching 100.000) β†’ 🟒 [1] β†’ 04-04-2024
ownCloud core all bcrypt (without Salt) β†’ 🟒 [1] β†’ 19-02-2024
PI-hole all SHA2 256 bit without Salt, key-stretching 2x β†’ 🟑 [1] β†’ 19-02-2024
PostgreSQL >? Plain β†’ πŸ”΄βŒ
MD5 (without Salt) β†’ πŸ”΄
SCRAM-SHA-256 (like PBKDF2 with SHA256 and Salt (4096 iterations)) β†’ 🟒
[1] [2] β†’ 19-02-2024
Prestashop all MD5 (with Salt) β†’ πŸ”΄ [1] β†’ 19-02-2024
Typo3 all MD5 (with Salt) β†’ πŸ”΄
blowfish, phpass(with password stretching) β†’ πŸ”΄
PBKDF2, bcrypt (without Salt) β†’ 🟒
Argon2(i, id) β†’ πŸŸ’βœ”οΈ
[1] β†’ 19-02-2024
Slack - SHA256 (with Salt) β†’ 🟒 [1] β†’ 19-02-2024
urbackup all PBKDF2 with SHA512 Internet-User secret; without Salt, key-stretching 20.000 β†’ 🟑🟒
PBKDF2 with MD5 Login-User; with Salt, key-stretching >0 β†’ 🟑
[1] [2] low key-stretching value
β†’ 19-02-2024
wg-portal all bcrypt (without Salt) β†’ 🟒 [1] β†’ 19-02-2024
Wordpress all MD5 (with Salt + minimal key stretching) β†’ πŸ”΄ [1] better algorithms just like Argon2id available with Plugins
β†’ 19-02-2024
Zammad all SHA256 (without Salt) β†’ 🟑
Argon2(i) β†’ πŸŸ’βœ”οΈ
[1] β†’ 03-03-2024

Operating Systems

Program name Versions PH-Algorithm β†’ Rating Sources Extras + Date accessed
Linux (Debian, Ubuntu) variable DES β†’ πŸ”΄βŒ
MD5, SHA1 (with Salt and/or key-stretching) β†’ πŸ”΄πŸŸ‘
bcrypt, scrypt, SHA256, SHA512 (with Salt and/or key-stretching) β†’ 🟒
(gost-)yescrypt (with Salt) β†’ πŸŸ’βœ”οΈ
[1] [2] based on current Debian specification
β†’ 19-02-2024
Windows <Vista LM-Hash β†’ πŸ”΄βŒ
NTLM-Hash β†’ πŸ”΄βŒ
[1] β†’ 19-02-2024
Windows >=Vista NTLM-Hash β†’ πŸ”΄βŒ [1] β†’ 19-02-2024

Last Update: 19-02-2024

phauis's People

Contributors

bstnbuck avatar

Watchers

 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.