Introduction
Blue Yarrow Unicorns is receiving this audit to evaluate the effectiveness of its digital authentication process. The scope of the audit was the two provided datasets — a list of password hashes and a list of hashes that were successfully cracked.
Two questions drive this audit: are employees choosing strong passwords, and is the company storing them in a way that resists cracking if the hash file is ever leaked?
Methodology
This audit evaluated two main areas: employee password creation practices and password storage security. Blue Yarrow stated that:
- It uses MD5 to hash passwords.
- It does not use salting or peppering.
- It does not enforce standard password complexity requirements.
- The dataset includes 5,097 employees and no null passwords.
Results
876 of the hashes were able to be cracked using
rockyou.txt.
The password selection process is too weak. The cracked passwords show predictable employee behavior — short passwords, common names, simple strings.
Second, password storage practices are insufficient. MD5, combined with not salting passwords, allows for extremely fast cracking. Something else like SHA-256 should be used.
| Outcome | Count | Percent |
|---|---|---|
| Total hashes in dataset | 5,097 | 100.0% |
| Cracked using rockyou.txt | 876 | ~17.2% |
| Not cracked in this run | 4,221 | ~82.8% |
Roughly one in six employees uses a password that appears in a publicly available wordlist — and because the hashes are unsalted MD5, those matches fall in seconds, not days.
From the Source Data
The figures above are reproducible directly from
userpass.xlsx. The workbook contains two sheets —
Hashes (the full set) and Cracked (rows of
hash:password for the entries that fell to
rockyou.txt). Splitting each cracked row on the colon
produces the analysis that follows.
Password length distribution
Of the 875 cracked entries that contained a password value, the length distribution skews short. The most common length is exactly 6 characters, and roughly 71.8% of cracked passwords are 8 characters or fewer:
The two longest cracked passwords reach 16 characters,
showing that even entries that meet a "long enough" rule of thumb can
still appear in rockyou.txt if they are made of common
words or phrases.
Sample of recovered passwords
A small sample drawn directly from the Cracked sheet
illustrates the pattern called out in the results — first names,
affectionate words, sports terms, simple greetings:
- yellow
- daniela
- lauren
- mickey
- princesa
- alexandra
- superman
- hannah
- amanda
- loveyou
- pretty
- basketball
- andrew
- angels
- tweety
- flower
- playboy
- hello
- elizabeth
- hottie
Why MD5 makes this worse
The dataset alone shows what a wordlist can do, but the storage choice
is what makes the result so cheap. With unsalted MD5,
every employee who picked the same password produces the same hash — so
one successful crack reveals every duplicate at once, and the entire
rockyou.txt wordlist can be tested against the full hash
file very quickly. Salting would force per-user work; switching the
algorithm to something like SHA-256 (or, better, a
dedicated password hash) would slow each guess.
Risk Analysis
Both controls under audit failed in the same direction:
- Creation: ~17.2% of employees use a password that appears in a public wordlist. With no complexity rules in place, that rate is unlikely to drop on its own.
- Storage: Unsalted MD5 means that if the hash file ever leaves the company, the cracking effort an attacker needs is about the same as what was used in this audit — small.
The combined effect is that any hash leak becomes, for a meaningful fraction of employees, a credential leak.
Recommendations
- Replace MD5 with a stronger hashing algorithm.
- Unique salting for every password so identical passwords no longer share a hash.
- Peppering as an added control, kept outside the password store.
- Stronger password creation rules — minimum length, blocked common-word lists, and similar guardrails.
- Deploy multi-factor authentication so a cracked password alone is no longer enough to log in.