Why is SHA-256 or SHA-512 not safe for password storage?

SHA-256 and SHA-512 are general-purpose cryptographic hash functions designed to be fast — they process data for checksums, digital signatures, and certificate verification. Being fast is their feature. For passwords, speed is a fatal flaw. Our ARM CPU ran SHA-256 at 3.2 million hashes per second and SHA-512 at 2.7 million. The full 14-million-password rockyou.txt wordlist would be exhausted in under 6 seconds. 'Stronger algorithm' is meaningless without computational stretching. The correct choice for passwords is a key derivation function: bcrypt, scrypt, or Argon2.

What is bcrypt and why does it resist cracking?

bcrypt is a password hashing function (not a general cryptographic hash) designed with deliberate slowness built in. The work factor — the '10' in $2b$10$ — means 2^10 = 1,024 internal rounds. This forces every hash computation to take a fixed minimum amount of time, regardless of hardware. Our demo: bcrypt ran at 112 hashes per second, versus NTLM at 6.6 million. To crack a single bcrypt hash with the full 14M rockyou.txt dictionary would take approximately 32 hours on our hardware. Each account requires a separate 32-hour run. At scale, mass cracking becomes economically unviable. The work factor is also upgradable: when servers get faster, increase the rounds to maintain equivalent resistance.

What is NTLM and why is it so dangerous?

NTLM (NT LAN Manager) is Windows's legacy password hashing format, still used in Windows authentication, Active Directory, and some legacy applications. It's MD4 of the UTF-16 Unicode password — no salt, no stretching, extremely fast to compute. Our CPU cracked it at 6.6 million hashes per second. A modern gaming GPU would reach 100 billion hashes per second for NTLM. This means a complete rockyou.txt run against a single NTLM hash takes milliseconds. NTLM hashes from Windows credential dumps (NTDS.dit, SAM, LSASS memory) are essentially plaintext. Pass-the-hash attacks don't even require cracking — NTLM hashes can be used directly for authentication in many Windows environments.

What is Argon2 and how does it compare to bcrypt?

Argon2 is the winner of the Password Hashing Competition (2015) and the modern best practice for password storage. It adds memory hardness on top of bcrypt's time hardness: cracking requires both compute time AND a large amount of RAM. Because GPU cards have limited memory bandwidth, Argon2 resists GPU-based cracking more effectively than bcrypt. The recommended parameters (Argon2id, m=65536, t=1, p=4) require 64MB of RAM per hash computation. For new applications: use Argon2id. For existing applications using bcrypt: bcrypt with rounds≥10 is acceptable and migration is not urgent. MD5, SHA-1, SHA-256, SHA-512 for passwords need to be migrated immediately.

How do I migrate from MD5/SHA password hashes to bcrypt?

The standard approach for live applications is an online migration: on next login, verify the user's password against the existing hash, then re-hash with bcrypt and replace. Users who don't log in keep their old hash until they do. After a reasonable period (6-12 months), force password resets for accounts still on the old scheme. Most web frameworks support this: PHP's password_hash/password_verify with automatic upgrade detection, Django's PBKDF2→bcrypt migration via PASSWORD_HASHERS, bcrypt libraries for Node.js/Python/Ruby with transparent upgrade on verify. The key requirement: never store the old MD5/SHA hash alongside the new bcrypt hash — only store one authoritative hash per account.

We Gave Hashcat 6 Password Hashes. It Cracked 5 in Under a Second. The 6th Said No.

March 12, 2026 · SecurityClaw Demo D14 · Password Security

"I use SHA-512 so I'm secure." We hear this from developers regularly. SHA-512 sounds strong. It runs at 2.7 million hashes per second on our ARM test box. We planted one hash per algorithm — MD5, NTLM, SHA-1, SHA-256, SHA-512, and bcrypt — and pointed SecurityClaw's hashcat skill at them. Five cracked in under a second. The sixth, bcrypt, is still running. The speed gap: 59,034× between NTLM and bcrypt. That number is the entire story of password storage security.

Date:March 12, 2026

Tool:hashcat v7.1.2

Category:Password Security

Result:✅ Pass — 5/6 cracked, bcrypt resisted

Platform:ARM aarch64 CPU (no GPU)

Methodology note: We planted one hash of a known password per algorithm type on a controlled test server. We used the top 50,001 passwords from rockyou.txt — all 5 cracked hashes are in the top 1,000 most common passwords worldwide. This is a controlled demo, not a worst-case attack scenario. Real-world crack rates depend on password policy, GPU availability, and dictionary selection. Hardware limitations are documented in the gaps section. This is Demo D14 — SecurityClaw's first password-security category campaign.

The Results

Algorithm	Speed (this hardware)	Result	Plaintext
MD5	937,500 H/s	✅ CRACKED	`password`
NTLM (Windows)	6,613,900 H/s	✅ CRACKED	`letmein`
SHA-1	5,548,600 H/s	✅ CRACKED	`qwerty123`
SHA-256	3,243,800 H/s	✅ CRACKED	`Password1!`
SHA-512	2,759,500 H/s	✅ CRACKED	`abc123`
bcrypt (rounds=10)	112 H/s	❌ RESISTED	—

The critical number: NTLM vs bcrypt = 59,034× slower. Same hardware. Same dictionary. Same machine. The only difference is the hash function.

Note that Password1! was in the SHA-256 hash — it has uppercase, a number, and a special character. It meets every complexity requirement for most corporate password policies. It was cracked in under a second because it was in a commonly used wordlist. Complexity rules don't help when the password is common. Slow hashing functions do.

The Three Stories in the Data

1. SHA-512 Sounds Strong. It Isn't (for Passwords).

SHA-512 produces a 128-character hex string. It uses 512-bit internal state. Developers see it and feel safe — this is a serious cryptographic algorithm used in certificate chains and TLS handshakes. Which it is. For those purposes.

For passwords, the property that matters isn't output length or algorithm complexity. It's time per hash computation. SHA-512 is designed to be fast. It runs at 2.7 million hashes per second on a CPU. With a modern GPU it runs at tens of billions per second. The entire 14-million-password rockyou.txt dictionary takes under 6 seconds on our CPU, under 0.2 seconds on a gaming GPU.

"Stronger general-purpose cryptographic hash function" does not equal "more resistant to password cracking." These are different properties. The SHA algorithms were never designed for password storage.

2. NTLM Is the Worst Possible Option Still in Use

6.6 million hashes per second on a CPU-only ARM box. This is Windows's password format — the one that Active Directory uses by default for local account password hashes, and the one that attackers extract from LSASS memory dumps, SAM files, and NTDS.dit in domain controller compromises.

A modern GPU reaches 100+ billion NTLM hashes per second. The entire rockyou.txt dictionary takes 0.00014 seconds on a consumer gaming GPU. Every NTLM hash in a credential dump is effectively plaintext. If you're running any service or application that stores or transmits NTLM hashes, the content is exposed to anyone who extracts them.

This is why pass-the-hash attacks remain so effective in Windows environments: you don't even need to crack the hash. NTLM hashes can authenticate directly in many Windows authentication flows. The hash is the credential.

3. bcrypt Forces Attackers to Slow Down Permanently

112 hashes per second. Not 112 thousand. Not 112 million. One hundred and twelve.

Cracking the full 14-million-password rockyou.txt dictionary against a single bcrypt hash takes approximately 32 hours on this hardware. Each account requires another 32 hours. A database of 10,000 users would take 13 years of continuous CPU time.

On a GPU: bcrypt runs at 10,000–20,000 H/s. That's 10-20× faster than our CPU, versus the 50,000–100,000× speedup GPUs give for MD5 and NTLM. The ratio holds because bcrypt's design forces the computation to be sequential in ways that GPUs can't easily parallelise.

This isn't theoretical resistance — it's economic resistance. Mass cracking of bcrypt databases is not a viable attack at scale. Attackers move to easier targets. That's the practical effect.

Why Slow Hashing Is a Design Feature, Not a Bug

When developers complain that bcrypt is slow, that's the point. The slowness is calibrated:

On login, verifying a bcrypt hash takes ~100ms — negligible to a human user, imperceptible in a web app context.
For an attacker with a stolen hash file, 100ms per hash means 10 hashes per second, or ~600 attempts per minute against a dictionary.
The work factor is configurable: $2b$12$ is 4× slower than $2b$10$. As hardware gets faster, increase the rounds to maintain equivalent resistance.

Why Argon2 Is Better Still

Argon2 won the Password Hashing Competition in 2015 and adds memory hardness to time hardness. Cracking Argon2 requires both compute time AND large amounts of RAM per attempt. Because GPUs have limited memory per core, this significantly reduces GPU-based cracking advantages. Recommended parameters: Argon2id, m=65536 (64MB), t=1 (1 pass), p=4 (4 parallel threads).

For new applications: use Argon2id. For existing applications on bcrypt with rounds≥10: the migration isn't urgent. For anything storing MD5, SHA-1, SHA-256, or SHA-512 passwords: migrate now.

The Salting Bonus (Not Shown in Demo)

Both bcrypt and Argon2 generate a unique random salt for each password hash. This means two users with the identical password produce completely different hashes. Pre-computed rainbow table attacks — the predecessor to dictionary attacks — become completely useless. Every hash must be cracked individually. This also means that discovering one user's password via cracking gives you nothing about other users with the same password.

MD5 and SHA-256 can be salted too — but salting doesn't help if the hash itself is computed in microseconds. The salt buys you nothing when the attacker can compute 3 million salted SHA-256 hashes per second on their laptop.

The Honest Gaps

CPU-Only Hardware

This demo ran on an ARM aarch64 CPU. A modern gaming GPU (RTX 4090) would crack:

MD5 at ~100 billion H/s (100,000× faster than our demo)
NTLM at ~150 billion H/s
bcrypt at ~10,000–20,000 H/s (90–180× faster, but not the 100,000× speedup of MD5)

The bcrypt ratio still holds. The absolute resistance of bcrypt decreases with better hardware, but so does everyone's hardware — the defender upgrades the work factor, maintaining equivalent effective resistance. The fast hash algorithms have no equivalent defence.

Demo Wordlist Was 50K

We used the top 50,001 passwords from rockyou.txt. All 5 cracked passwords are in the top 1,000 most common passwords globally. We planted easy ones deliberately — this demo is about algorithm speed differences, not password policy. Real-world crack rates depend on your users' actual password choices.

We Didn't Demo GPU or Rainbow Tables

Pre-computed rainbow table attacks against unsalted MD5/SHA-1 are even faster than dictionary attacks — effectively instant for common passwords. bcrypt's per-hash unique salting defeats them completely. This is mentioned but not demonstrated here; it's an additional argument for proper key derivation functions.

The Immediate Action

If your application stores passwords as MD5, SHA-1, SHA-256, or SHA-512 hashes, you have a disclosure event waiting to happen. Any credential dump — database breach, backup theft, insider access — gives an attacker plaintext passwords for a significant portion of your user base within hours.

The fix is known, well-documented, and implementable in every major language:

PHP: password_hash($password, PASSWORD_BCRYPT) / password_verify()
Python: bcrypt library or Django's built-in PBKDF2PasswordHasher
Node.js: bcrypt or argon2 packages
Ruby: bcrypt-ruby gem
Java: Spring Security's BCryptPasswordEncoder

Migration path for live applications: on next login, verify against the old hash, then re-hash with bcrypt and replace. Users who haven't logged in keep the old hash until they do. After a reasonable period, force password resets for remaining old-format accounts.

SecurityClaw's hashcat skill runs this analysis in one command against your credential store. The output maps which algorithms are in use across your user base and prioritises the migration.

For deeper reading on password security in the context of real-world attacks, the relevant chapters in The Web Application Hacker's Handbook cover authentication attacks thoroughly. Penetration Testing by Georgia Weidman covers credential cracking in the context of post-exploitation — useful for understanding the attacker's perspective when evaluating your own password storage choices.

SecurityClaw Scorecard: D14

D14 opens a new category in SecurityClaw's capability scorecard: password security. This complements the existing coverage — TruffleHog and Gitleaks find secrets in code and history; hashcat tests the resistance of the password hashes in your credential store.

Metric	Value
Tool	hashcat v7.1.2
Hashes tested	6 (one per algorithm type)
Cracked	5/6 (83.3%)
Resisted	1 (bcrypt rounds=10 — by design)
Wordlist	Top 50,001 entries from rockyou.txt
Campaign result	PASS
New category	✅ Password Security
Overall scorecard after D14	23/25 campaigns = 92.00%

The 59,034× speed difference between NTLM and bcrypt isn't a fine-grained performance concern. It's the difference between "cracked in milliseconds" and "economically unviable to crack at scale." It's a design choice that developers make when they choose what to call on the registration endpoint. Choose well.