Cryptography: A Quantitative Analysis of the Effectiveness of Various Password Storage Techniques


  • Rohan Patra Dougherty Valley High School
  • Sandip Patra Mentor



password, hashing, data, security, authentication, sha-256, bcrypt, md5, salting, performance, hash decryption, cryptography, computer science, cybersecurity, data breaches, data breach


Recently, there has been a rise in impactful data breaches releasing billions of people’s online accounts and financial data into the public domain. The result is an increased importance of effective cybersecurity measures, especially regarding the storage of user passwords. Strong password storage security means that an actor cannot use the passwords in vectors such as credential-stuffing attacks despite having access to breached data. It will also limit user exposure to threats such as unauthorized account charges or account takeovers. This research evaluates the effectiveness of different password storage techniques. The storage techniques to be tested are: BCRYPT Hashing, SHA-256 Hashing, SHA-256 with Salt, and SHA-256 with MD5 Chaining. Following the National Institute of Standards and Technology (NIST) guidelines on password strength, both a weak and robust password will be passed through the stated techniques. Reversal of each of the results will be attempted using Rainbow Tables and dictionary attacks. The study results show that pairing a strong password that has not been exposed in a data breach with the BCRYPT hashing algorithm results in the most robust password security. However, SHA-256 hashing with a salt results in a very similar level of security while maintaining better performance. While plain SHA-256 hashing or chaining multiple hashing algorithms together is theoretically as secure, in practice, they are easily susceptible to simple attacks and thus should not be used in a production environment. Requiring strong password which have not been exposed in previous data breaches was also found to greatly increase security.


Download data is not yet available.

References or Bibliography

Arias, D. & Auth0. (2019, September 30). Hashing Passwords: One-Way Road to Security. Auth0 - Blog.

BlueCode Hash Finder (9.3). (2020). [Computer software]. BlueCode Team.

Bonneau, J., Herley, C., Oorschot, P. C. V., & Stajano, F. (2012). The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. 2012 IEEE Symposium on Security and Privacy. Published.

Cloudflare, Inc. (n.d.). What is encryption? Cloudflare. Retrieved May 15, 2021, from

CrackStation. (2019, June 5). Secure Salted Password Hashing - How to do it Properly.

Grassi, P. A., Fenton, J. L., Newton, E. M., Perlner, R. A., Regenscheid, A. R., Burr, W. E., Richer, J. P., Lefkovitz, N. B., Danker, J. M., Choong, Y. Y., Greene, K. K., & Theofanos, M. F. (2017). Digital identity guidelines: authentication and lifecycle management. Digital Identity Guidelines. Published.

Guide to Cryptography - OWASP. (2018, June 13). In Open Web Application Security Project.

N-able. (2021, April 1). SHA-256 Algorithm Overview.

Patra, R. (n.d.). BreachDirectory - Check If Your Email or Username was Compromised. BreachDirectory - PASSCHECK. Retrieved May 29, 2021, from

Python Software Foundation. (2021, May 24). Welcome to Python.Org.

Selinger, P. (2006, February). MD5 Collision Demo. Dalhousie University.

weakpass_2a. (2017). Weakpass.

Wiedenbeck, S., Waters, J., Birget, J. C., Brodskiy, A., & Memon, N. (2005). Authentication using graphical passwords. Proceedings of the 2005 Symposium on Usable Privacy and Security - SOUPS ’05. Published.



How to Cite

Patra, R., & Patra, S. (2021). Cryptography: A Quantitative Analysis of the Effectiveness of Various Password Storage Techniques. Journal of Student Research, 10(3).



HS Research Projects