Analysis attackers’ methods with hashing secure password using CSPRNG and PBKDF2


  • Nada Abdul Aziz Mustafa University of Baghdad/ College of languages



Hash 256, CSPRNG, PBKDF2, Password hashing, Dictionary attacks, Brute force attacks, and Rainbow tables attack.


Using the Internet, nothing is secure and as we are in need of means of protecting our data, the use of passwords has become important in the electronic world. To ensure that there is no hacking and to protect the database that contains important information such as the ID card and banking information, the proposed system stores the username after hashing it using the 256 hash algorithm and strong passwords are saved to repel attackers using one of two methods:

-The first method is to add a random salt to the password using the CSPRNG algorithm, then hash it using hash 256 and store it on the website.

-The second method is to use the PBKDF2 algorithm, which salts the passwords and extends them (deriving the password) before being hashed and stored on the website.

The results of the two methods are compared in terms of speed and resistance to attackers, then password attacks are analysed in addition to calculating the strength of the password, the time it takes for the user to log in, and the time required for the attacker to guess the passwords per second. The Wolfram Alpha is used to calculate the mathematic operations and system implementation was done by using IntelliJ IDEA with java FX.


Gauravram, P. “Cryptographic Hash Functions: Cryptanalysis, design and applications”. Ph.D. thesis, Brisbane, Australia: Faculty of Information Technology, Queensland University of Technology, (2003).

N.A.A. Mustafa, “An Improved Method for Hiding Text in Image Using Header Image” Waist Journal of Computer and Mathematic Science, Vol. 1, No. 4, pp.134 -148, (2022).

S. M. Bellovin, M. Merritt, “An attack on password-authenticated exponential key exchange,” IEEE Transactions on Information Theory, to appear.

N. Ogini, N. Ogwara, “Securing Database passwords using a combination of hashing and salting techniques”,IPASJ International Journal of Computer Science (IIJCS),Vol. 2, No. 8, pp. 52-58, pp. 52-58, 2014.

N. Merhav, A. Cohen. Universal randomized guessing with application to asynchronous decentralized brute–force attacks. IEEE Transactions on Information Theory, 66(1):114–129, 2020.

P.Thottempudi ,T.Thottempudi , K.N.Bhushan, N.Usha Rani,” Generation Of Cryptographically Secured Pseudo Random numbers Using Fpga”, International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 –6464(Print), ISSN 0976 – 6472(Online), Volume 5, Issue 2, February (2014), pp. 21-29 IAEME.

O. Yoshimura, K. Arai, H. Okazaki, Y.Futa.Formalization of security requirements and attack models for cryptographic hash functions in ProVerif”, Proceedings of the 2019 International Conference on Security and Management, SAM 2019, Las Vegas, Nevada, USA, July 28 - August 1, 2019.

N. Ali1, B. Al Farawn, H.Rjeib, “Adding salt to hashing: A better way to store passwords”, In TELKOMNIKA Telecommunication, Computing, Electronics and Control, volume 18, 2020.

A. Iuorio , A. Visconti, “Understanding optimizations and mea-Suring performances of PBKDF2”, in 2nd International Conference on Wireless Intelligent and Distributed Environment for Communication,WIDECOM 2019, Milan, Italy, February 11-13, 2019 (I. Woungang and S. K. Dhurandher, eds.), vol. 27 of Lecture Notes on Data Engineering and Communications Technologies, pp. 101–114, Springer, 2019.

B. Rompay, “Analysis and Design of Cryptographic Hash functions, MAC algorithms and Block Ciphers”. Ph.D. thesis, Leuven, Belgium: Electrical Engineering Department, Katholieke Universiteit, (2004).

S.Rajeev, G. Geetha, “Cryptographic Hash Functions: A Review”, International Journal of Computer Science Issues, ISSN (Online): 1694-0814. Vol 9. 461, (2012).

Z. Zhao, Z. Dong, Y. Wang, “Security analysis of a password-based authentication protocol proposed to IEEE 1363,” Theoretical Computer Science, Vol. 352, No. 1, pp. 280–287, 2006.

R. Rivest, A. Benjamin, B.Daniel V, (et al),” The MD6 hash function” October 24, 2008.

R. Roshdy1, M. Fouad, M. Aboul-Dahab,” Design and Implementation a New Security Hash Algorithm Based On Md5 and Sha-256”, International Journal of Engineering Sciences & Emerging Technologies, August 2013, ISSN: 2231 – 6604

C.Kumar, C. Suyambulingom, “Cryptographic of high Security Hash Functions”. International Journal of Engineering Research & Technology (IJERT), ISSN: 2278-0181, Vol. 1 Issue 3, (2012).

DR.H.Handschub, Dr.H.Gilbert, “Evaluation Report Security Level of Cryptography – SHA-256”, Technical Report, Issy-les-Moulineaux, January 2002.

H. Choi , S. C. Seo, “Optimization of PBKDF2-HMAC-SHA256 andPBKDF2-HMAC-LSH256 in CPU environments,” in Information Security Applications - 21st International Conference, WISA 2020, Jeju Island, South Korea, August 26-28, 2020, Revised Selected Papers (I. You, ed.), vol. 12583 of Lecture Notes in Computer Science, pp. 321–333, Springer, 2020.

T.S.Thangavel, A.Krishna,” Efficient Secured Hash Based Password Authentication in Multiple Websites”, International Journal on Computer Science and Engineering, Vol. 02, No. 05, 2010, 1846-1851.

K.Magnitude, R. Katti, “A Hash-based Strong Password Authentication Protocol with User Anonymity”, International Journal of Network Security, Vol.2, No.3, PP.205–209, May 2006.

X. Wang, D. Feng, X. Lai, H. Yu, “Collisions for Hash Functions MD4, MD5, HAVAL-128, and RIPEMD”. Jinan250100, China: The School of Mathematics and System Science, Shandong University, (2004).

L. Bosnjak, J. Sres, B. Brumen," Brute-force and dictionary attack on hashed real-world passwords", Conference: 2018 41st International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), May 2018, DOI: 10.23919/MIPRO.2018.8400211

K. Chanda, “Password Security: An Analysis of Password Strengths and Vulnerabilities”, I. J. Computer Network and Information Security, 2016, 7, pp. 23-30.




How to Cite

Mustafa, N. A. A. (2024). Analysis attackers’ methods with hashing secure password using CSPRNG and PBKDF2. Wasit Journal of Engineering Sciences, 12(2), 60-70.