There's one thing I've never understood about this "guessing" technique to find the plain text of a known hash value. Wouldn't the sticker also need to know exactly what hashing function had been used as well as how many times applied (i.e. what the "stretching" factor was)?
Because without that knowledge what would the attacker run their guesses through? And wouldn't that information be hard to get unless you had the full source code along with all relevant configuration?
One of the assumptions in designing cryptographic systems (Kerckhoff's Principle [1]) is that the attacker knows everything about the system and how it is implemented, except for the password itself. While you could hide the implementation details, that would mean that nobody could verify how strong your system is.
You have to test the password against the real login feature, otherwise you wouldn’t know if you guessed it. The hashing function can be widely known and attackers using brute force guesses would still be blocked by a security feature that requires a second factor (e.g. email) after a certain number of failed attempts.
As an attacker you're not trying to guess the hashed password and even if you had it you still would not be able to use it to log in. Hashing functions that are fit for real-world use are pure functions and their input cannot be determined by looking at their output, which renders rainbow tables (a list of plain text input and their corresponding hashed output) useless to attackers.
So knowing the hash function is useless and even if you also manage to access the database and get the hashed password you still need to run through a brute force technique to find which input gets that output. If the original password is itself a long random set of characters stored with Keychain or Onepass you’re looking at potentially trillions of attempts before you get it right. Hashing functions are written to be slow and computationally expensive so you’re going to incur a lot of energy costs by the time you get it. Also, you’ll be dead by then. When brute force works it’s because the password has no failure restrictions and is something short and simple like a mother’s maiden name with a zip code at the end.
Since you know your own password on the system you can use that to figure out the hashing mechanism. Also, the hashing strategy and salt is often part of the stored hash.
You can make a few simplifying guesses. 1. Google uses a lot of go so its likely they use bcrypt, so try that first.
2. Most people arent security experts so dont bother w/ stretching, just do one hash.
Those 2 assumptions right there get you what you want 90% of the time.
Because without that knowledge what would the attacker run their guesses through? And wouldn't that information be hard to get unless you had the full source code along with all relevant configuration?