Password Encryption Algorithm: How to Find Out

TL;DR

It’s very difficult (and usually impossible) to directly determine the exact algorithm used for password encryption. Systems intentionally hide this information for security reasons. However, you can often identify the hashing function used (which is a key part of the process), and sometimes infer other details based on system behaviour and configuration.

Understanding Password Encryption

Before we start, it’s important to understand what happens when you create a password. It doesn’t get stored as plain text! Instead, it goes through these steps:

• Hashing: A one-way function transforms your password into a seemingly random string of characters (the hash). This is the most common part you can investigate.
• Salting: Random data is added to your password before hashing, making it harder for attackers using pre-computed tables (rainbow tables) to crack passwords.
• Encryption (less common): Sometimes, the hash itself might be encrypted with a key. This adds another layer of security but makes identification even harder.

How to Identify the Hashing Function

1. Check System Documentation: The easiest way is often the best! Look for documentation from the service or software provider that specifies which hashing algorithm they use (e.g., bcrypt, Argon2, scrypt, SHA-256).
2. Password Reset/Recovery Process: Observe how password resets work. Some systems reveal clues during this process. For example, if a reset requires you to answer security questions and doesn’t offer advanced options, it’s less likely they are using modern hashing techniques.
3. Database Analysis (if possible): Warning: This is only applicable if you have access to the database, which is rare and often illegal without permission! If you can inspect the password storage table, look at the format of the stored hashes.
   • Length: Different hashing algorithms produce different length hashes.
   • Prefixes/Identifiers: Some systems add a prefix to the hash indicating the algorithm used (e.g., $2a$10$... for bcrypt).
4. Hash Identification Tools: Several online tools can attempt to identify the hashing function based on the hash format.
   • HashCat Wiki – Example Hashes provides examples of common hash formats.
   • Online Hash Cracker can attempt to identify the algorithm, but it’s not always accurate.
5. Brute-Force/Dictionary Attacks (Ethical Considerations!): Do NOT attempt this on systems you do not own or have explicit permission to test! If you have a sample hash and know the salt, you could try brute-force or dictionary attacks. The speed of cracking can give clues about the hashing function.

Specific Algorithms & What to Look For

• bcrypt: Very common. Hashes typically start with $2a$, followed by a cost factor (e.g., $2a$10$...).
• Argon2: Modern and secure. Hash formats vary but often include identifiers like argon2id or argon2i.
• scrypt: Another strong algorithm. Look for specific parameters in the hash format.
• SHA-256/SHA-512 (with salting): Older, but still used. The hashes will be longer and may not have obvious identifiers without knowing the salt.

Example: Identifying bcrypt

If you see a password hash that looks like this:

$2a$10$abcdefghijklmnopqrstuvwxyz1234567890/./././././././././././

The $2a$10$ prefix strongly indicates that bcrypt is being used, and the ’10’ represents the cost factor (work factor).

Limitations

• Encryption: If the hash is encrypted, identifying the hashing function becomes much harder.
• Custom Implementations: Some systems use custom encryption schemes that are difficult to reverse engineer.
• Security by Obscurity: Systems intentionally hide this information for security reasons.