01step · watch first
A primer on how hashes fall — and which fall first.
A five-minute introduction to password hashing — what MD5, SHA-1 and bcrypt actually do, and why the algorithm choice decides whether a database leak is a footnote or a disaster. Watch all the way through, then move to the animated simulation to see the cracker land.
▶
Lesson · Hash algorithms & cracking
~5 min
≡
Summary
what to remember
- 1A breach is a list of hashes. One-way, supposedly. The leak hands the attacker gibberish — and the strength of that gibberish depends entirely on the algorithm the developer chose.
- 2Different hashes leak differently.
hashididentifies the family in milliseconds;johnandhashcatdo the cracking. Identify before you attack. - 3MD5 falls in seconds, SHA-1 in minutes. Neither is suitable for password storage — they were built for file integrity, not for keeping secrets.
- 4bcrypt is supposed to hurt. A low work-factor still hurts less than nothing. cost=4 falls in minutes; cost=12 turns a wordlist into years.
- 5Use bcrypt or argon2id with a real cost factor (12+). Always. Re-tune the factor yearly as hardware gets faster. The defence is built into the algorithm — pick the right one.
?
Quick check · before you continue
1 question · pick one
QYou have a file hashes.txt with three lines: an MD5, a SHA-1, and a $2a$04$... bcrypt. Which one should you crack first?