What password hashing algorithms are popular among sites that have been hacked?
Study: Your Password Complexity Requirements are Worthless
Date: September 25 2014
Number of unique leaked password dumps identified as using a specific hashing algorithm, collected by KoreLogic over a six month period in 2014 (n=1,365):
PasswordResearch.com Comment:
For above the p = plaintext password, s = salt. This identifies how the chosen algorithm(s) are specifically used to hash the password and salt. If not otherwise specified the hash is applied only to the password (p). Note that we removed what appeared to be duplicate entries for "crypt-blowfish" and "ntlm" from the original slide.
Date: September 25 2014
Number of unique leaked password dumps identified as using a specific hashing algorithm, collected by KoreLogic over a six month period in 2014 (n=1,365):
 | MD5 |
| MD5(MD5(p).s) |
| MD5(s.p) |
| MD5(MD5(s).MD5(p)) [unsure about this one] |
| SHA1 |
| MySQL5 |
| MD5(p.s) |
| Crypt-DES |
| MySQL323 |
| SHA512(p.s) |
| MD5(MD5(p)) |
| PHPass |
| SHA1(s.p) |
| NTLM |
| SSHA1 |
| MD5_Half |
| Crypt-MD5 |
| Crypt-Blowfish |
| SHA256 |
| MD5(s.p.s) |
| SHA512 |
| SHA1(MD5(p)) |
| Drupal7 |
| MD5(s.MD5(p)) |
| SHA1-Base64 |
PasswordResearch.com Comment:
For above the p = plaintext password, s = salt. This identifies how the chosen algorithm(s) are specifically used to hash the password and salt. If not otherwise specified the hash is applied only to the password (p). Note that we removed what appeared to be duplicate entries for "crypt-blowfish" and "ntlm" from the original slide.