#passwordcracking — Public Fediverse posts

The Register: 60% of MD5 password hashes are crackable in under an hour. “Using a dataset of more than 231 million unique passwords sourced from dark web leaks – including 38 million added since its previous study – and hashing them with MD5, researchers at security firm Kaspersky found that, using a single Nvidia RTX 5090 graphics card, 60 percent of passwords could be cracked in less than an […]

The Register: 60% of MD5 password hashes are crackable in under an hour. “Using a dataset of more than 231 million unique passwords sourced from dark web leaks – including 38 million added since its previous study – and hashing them with MD5, researchers at security firm Kaspersky found that, using a single Nvidia RTX 5090 graphics card, 60 percent of passwords could be cracked in less than an […]

The Register: 60% of MD5 password hashes are crackable in under an hour. “Using a dataset of more than 231 million unique passwords sourced from dark web leaks – including 38 million added since its previous study – and hashing them with MD5, researchers at security firm Kaspersky found that, using a single Nvidia RTX 5090 graphics card, 60 percent of passwords could be cracked in less than an […]

The Register: 60% of MD5 password hashes are crackable in under an hour. “Using a dataset of more than 231 million unique passwords sourced from dark web leaks – including 38 million added since its previous study – and hashing them with MD5, researchers at security firm Kaspersky found that, using a single Nvidia RTX 5090 graphics card, 60 percent of passwords could be cracked in less than an […]

The Register: 60% of MD5 password hashes are crackable in under an hour. “Using a dataset of more than 231 million unique passwords sourced from dark web leaks – including 38 million added since its previous study – and hashing them with MD5, researchers at security firm Kaspersky found that, using a single Nvidia RTX 5090 graphics card, 60 percent of passwords could be cracked in less than an […]

If you are:

• "abusing" hashcat --stdout or other cracking tools (or bulk string-generation tools) using GNU parallel, and

• you're producing highly duplicate output per process, and

• you need to do low-memory, best-effort dedupe in parallel, per process prior to passing the aggregated output to a final dedupe

... the dedupe tool included in CynosurePrime's rling repo:
https://github.com/Cynosureprime/rling

... really does the trick! Just do:

[parallel stuff] '[cmd] | dedupe' | final-process-thing

Thanks, @Waffle_Real !

#PasswordCracking

🔑 Password Security Tools – Awareness & Defense Guide 🛡️

Weak or reused passwords remain one of the biggest security risks. Security researchers and penetration testers use password auditing tools (in labs and authorized tests only) to identify vulnerabilities and help organizations enforce stronger authentication.

💡 Commonly Used Tools (Ethical Context Only):
1️⃣ John the Ripper – Classic password auditing tool for multiple formats.
2️⃣ Hashcat – GPU-powered password recovery tool, extremely fast.
3️⃣ Hydra – Network login password tester (SSH, FTP, RDP, HTTP, etc.).
4️⃣ Medusa – Parallel, modular password tester.
5️⃣ Cain & Abel (Legacy) – Windows password recovery & testing suite.

🛡️ Defense Strategies:
✔️ Enforce strong password policies (length, complexity, uniqueness).
✔️ Require Multi-Factor Authentication (MFA/2FA).
✔️ Regularly audit credentials and remove old accounts.
✔️ Use password managers to reduce reuse.
✔️ Monitor for credential leaks in threat intelligence feeds.

🌟 Why It Matters:
Password cracking tools highlight the danger of weak credentials. By understanding them, defenders can build stronger authentication systems and prevent breaches.

⚠️ Disclaimer:
This content is for educational and awareness purposes only. Password cracking tools should only be used in authorized environments with explicit permission. Unauthorized use is illegal and unethical.

#CyberSecurity #PasswordSecurity #InfoSec #EthicalHacking #PenTesting #BlueTeam #PasswordCracking #SecurityAwareness #EthicalTech #Authentication

So atom, main developer of @hashcat, used the "rapid prototyping in Python" plugin of the new "assimilation bridge" in the new hashcat 7¹, with some success in our DEF CON password CTF win this past weekend (hosted by @jabbercracky).

Afterwards, atom realized it would make a good case study for how to use the new feature, so he wrote it up:

https://hashcat.net/forum/thread-13346.html

If you do exploration of mystery hash types (either for CTFs, or in the real world) ... this approach should absolutely be in your toolbox.

¹Note that some work was done during the contest to make the Python bridge plugin better for these use cases; next minor release of 7 will have it, or grab hashcat.net/beta/ or the latest GitHub main branch.

#PasswordCracking #HashCracking
#hashcat #hashcat7

So atom, main developer of @hashcat, used the "rapid prototyping in Python" plugin of the new "assimilation bridge" in the new hashcat 7¹, with some success in our DEF CON password CTF win this past weekend (hosted by @jabbercracky).

Afterwards, atom realized it would make a good case study for how to use the new feature, so he wrote it up:

https://hashcat.net/forum/thread-13346.html

If you do exploration of mystery hash types (either for CTFs, or in the real world) ... this approach should absolutely be in your toolbox.

¹Note that some work was done during the contest to make the Python bridge plugin better for these use cases; next minor release of 7 will have it, or grab hashcat.net/beta/ or the latest GitHub main branch.

#PasswordCracking #HashCracking
#hashcat #hashcat7

So atom, main developer of @hashcat, used the "rapid prototyping in Python" plugin of the new "assimilation bridge" in the new hashcat 7¹, with some success in our DEF CON password CTF win this past weekend (hosted by @jabbercracky).

Afterwards, atom realized it would make a good case study for how to use the new feature, so he wrote it up:

https://hashcat.net/forum/thread-13346.html

If you do exploration of mystery hash types (either for CTFs, or in the real world) ... this approach should absolutely be in your toolbox.

¹Note that some work was done during the contest to make the Python bridge plugin better for these use cases; next minor release of 7 will have it, or grab hashcat.net/beta/ or the latest GitHub main branch.

#PasswordCracking #HashCracking
#hashcat #hashcat7

So atom, main developer of @hashcat, used the "rapid prototyping in Python" plugin of the new "assimilation bridge" in the new hashcat 7¹, with some success in our DEF CON password CTF win this past weekend (hosted by @jabbercracky).

Afterwards, atom realized it would make a good case study for how to use the new feature, so he wrote it up:

https://hashcat.net/forum/thread-13346.html

If you do exploration of mystery hash types (either for CTFs, or in the real world) ... this approach should absolutely be in your toolbox.

¹Note that some work was done during the contest to make the Python bridge plugin better for these use cases; next minor release of 7 will have it, or grab hashcat.net/beta/ or the latest GitHub main branch.

#PasswordCracking #HashCracking
#hashcat #hashcat7

So atom, main developer of @hashcat, used the "rapid prototyping in Python" plugin of the new "assimilation bridge" in the new hashcat 7¹, with some success in our DEF CON password CTF win this past weekend (hosted by @jabbercracky).

Afterwards, atom realized it would make a good case study for how to use the new feature, so he wrote it up:

https://hashcat.net/forum/thread-13346.html

If you do exploration of mystery hash types (either for CTFs, or in the real world) ... this approach should absolutely be in your toolbox.

¹Note that some work was done during the contest to make the Python bridge plugin better for these use cases; next minor release of 7 will have it, or grab hashcat.net/beta/ or the latest GitHub main branch.

#PasswordCracking #HashCracking
#hashcat #hashcat7

July 15th 1991: 34 years ago I published the first “modern” password cracker…

…or, rather, smeared its development over a few months in response to requests from Unix systems administrators all over the globe – on the Internet and/or several other networks. It was a spark that still glows, but also helped inform the way Infosec developed as a discipline, notably arguments about full disclosure.

Gosh I feel old.

https://www.youtube.com/watch?v=BrxJlp_3utk

#computerHistory #crack #passwordCracking

16 Billion Passwords Stolen From 320 Million+ Computers Leaked Online https://gbhackers.com/16-billion-passwords-stolen-from-320-million-computers-leaked-online/ #CyberSecurityNews #PasswordCracking #cybersecurity #FACEBOOK #Google #Apple

Super cool write-up from the winning team of the CrackTheCon #passwordCracking contest.

https://hashmob.net/writeups/HashMob.net%20-%20CrackTheCon%202025%20write-up.pdf

Well, this cracking attack is going to take 5.5 days on 2x 4090s.

#PasswordCracking #hashcat

🚨 Oh no! GNU Screen has "security issues"—quick, everyone panic! Meanwhile, the tech wizards are too busy inventing new buzzwords and password-cracking supertools that sound like rejected Marvel villains to actually fix anything. 🙄🔧
https://www.openwall.com/lists/oss-security/2025/05/12/1 #GNUScreen #Security #Issues #Panic #TechBuzzwords #PasswordCracking #MarvelVillains #HackerNews #ngated

TIL if you generate and store all even faintly possible IPv4 IPs - 0.0.0.0 through 255.255.255.255 - as ASCII strings ... it takes about 58GB.

This is a #HaveIBeenPwned subtoot. 😜

#PasswordCracking

Password crackers:

If you're still mashing up all of your wordlists into a single monolithic file for deduplication purposes ... let me suggest an option that scales better, simply by approaching the problem differently:

Deduplicate each new source as it arrives, and then add it to a repository, by removing all strings already in your repository ...and then preserve it as a separate file! (You might call this the "sort once, deduplicate often" method.)

https://blog.techsolvency.com/2025/04/managing-unique-wordlists-password-cracking.html

The key benefit: the memory usage required is a factor of the size of the new file alone, rather than of the entire corpus.

Also useful for other medium-sized "dedupe a recurring stream of new sets of strings over time" use cases.

(And if you're not doing this anymore, now you have a reference to share with the folks who still are!)

#PasswordCracking

Top #hashcat tip:

Want per-position duplication in your rules to leverage your GPU?

It's not available in a single op, but you can emulate it by incrementally duplicating the first N chars, and then incrementally deleting the position and frequency of the redundant characters

#password #passwordcracking #pentest #redteam

hello everyone.
in today's article we examine cewl cheat sheet in detail:

i wish everyone a good reading:
https://denizhalil.com/2025/01/27/cewl-cheat-sheet/

#cewl #customwordlist #ethicalhacking #informationsecurity #kalilinux #passwordcracking #penetrationtesting #securitytools

If you need to sort and dedupe a ton of strings/records, Cynosure Prime member blazer has released rlite, a 'lite' version of rling. I helped debug early versions. A nice balance of performant and simple, but with useful knobs like frequency counting, writing dupes to another file, etc.

(And heavy on the 'performant' - multi-threaded sort + dedupe time for 1.4B records in a 16GB file is 45 seconds on 48 EPYC 7642 cores, and uses 26GB of RAM)

https://github.com/Cynosureprime/rlite

#PasswordCracking

Next time password cracking comes up conversationally and someone says "And can't you can just use rainbow tables" ... send them this.

https://hashcat.net/faq/rainbowtables

tl;dr They are only worthwhile in a very specific (and rare) set of circumstances.

#PasswordCracking #RainbowTables

Today's traditional UNIX crypt / descrypt / hashcat -m 1500 trivia.

if you see a descrypt crack ending in \x8a ... no you didn't.

These actually end in \x0a -- descrypt drops all high bits, turning \x8a into \x0a!

#PasswordCracking

Password cracking tip:

Grow your ability to understand the math of your attack space.

One nice way to practice this: for a given attack, use Wolfram Alpha (or a calculator, etc.) to roughly confirm the math of your tool's ETA for your attack.

If they don't match, check your assumptions, your setup, or your understanding until they do.

In this example, the total number of guesses scheduled for this attack will take these two GPUs, running at the hashrate shown, a little under 46 days to complete.

https://wolframalpha.com/input?i=%281408965009*47622827%29+%2F+%2816989*1000000*60*60*24%29

Practicing this estimation until you can do it very "back of the napkin" / order of magnitude in your head is valuable, just as it is with any "large numbers" effort / industry / exercise.

#PasswordCracking #hashcat

So ... due to an early obsession with historical BSD hashes ... I have significantly more bcrypt hashrate-per-watt cracking capacity than most solo shops. For bcrypt cost 12, it's about 34Kh/s straight wordlist -- the equivalent of about 17 4090s -- at only 1100W (these old Bitcoin FPGAs are very efficient for bcrypt specifically). And this capacity is intermittently idle, which is kinda a shame.

I haven't really put it out there as something I can help with if needed (outside of the Hashcat team). So ... feel free to ping me if you need bcrypts cracked/audited!

(Reasonable rates, but note that I do have a pretty firmly high bar for provenance / proof of authorization)

(Rat's nest of USB has been cleaned up a bit 😅)

#bcrypt #PasswordCracking #hashing

Team #Hashcat is pleased to present our much anticipated write-up for this year's #CrackMeIfYouCan contest at #Defcon32

📕 Read it here:
https://raw.githubusercontent.com/hashcat/team-hashcat/8a72d338660cc6d8f4f8014bd8e3236f8c59cd6e/CMIYC2024/CMIYC2024TeamHashcatWriteup.pdf

#password #passwordcracking #redteam #ctf #defcon #hacking #infosec #cybersecurity

When a target hashlist has a significantly lower percentage of cracks than expected, I've started calling the remaining/missing cracks "dark matter".

Some potential causes of cracking "dark matter":

• Site changed methodologies later: switched to a nested hash, added a pepper, HSM, true encryption layer, etc.

• High number of automatically random-ish passwords: defaults, resets, bots, randomized on account lock, etc.

• Complexity requirements higher than expected: high minimum length, etc.

• Attacker (me) is missing key info: language, encoding, demographics, etc.

What could other causes be?

#Hashing #PasswordCracking

One example why to use strong #passwords for users who use file sharing over #SMB even when the file transfers are #encrypted.
If the SMB traffic is captured/eavesdropped, then the attacker can try to crack the user password.
The attacker is able to extract challenge/response values from the Session Setup and then use #passwordcracking tools such as #hashcat

If the attack is successful, the attacker will gain not only the access to the user account, but it is also possible to decrypt the captured SMB file transfers. There is lack of perfect forward secrecy in this encryption.

For more details and practical examples, see this blog post:

https://malwarelab.eu/posts/tryhackme-smb-decryption/

#networktrafficanalysis #networktraffic #encryption #netntlmv2 #netntlm #ntlm #windows #fileshare #pentesting #cybersecurity #hardening #password #cracking #offensivesecurity #offsec #blueteam #purpleteam

One example why to use strong #passwords for users who use file sharing over #SMB even when the file transfers are #encrypted.
If the SMB traffic is captured/eavesdropped, then the attacker can try to crack the user password.
The attacker is able to extract challenge/response values from the Session Setup and then use #passwordcracking tools such as #hashcat

If the attack is successful, the attacker will gain not only the access to the user account, but it is also possible to decrypt the captured SMB file transfers. There is lack of perfect forward secrecy in this encryption.

For more details and practical examples, see this blog post:

https://malwarelab.eu/posts/tryhackme-smb-decryption/

#networktrafficanalysis #networktraffic #encryption #netntlmv2 #netntlm #ntlm #windows #fileshare #pentesting #cybersecurity #hardening #password #cracking #offensivesecurity #offsec #blueteam #purpleteam

One example why to use strong #passwords for users who use file sharing over #SMB even when the file transfers are #encrypted.
If the SMB traffic is captured/eavesdropped, then the attacker can try to crack the user password.
The attacker is able to extract challenge/response values from the Session Setup and then use #passwordcracking tools such as #hashcat

If the attack is successful, the attacker will gain not only the access to the user account, but it is also possible to decrypt the captured SMB file transfers. There is lack of perfect forward secrecy in this encryption.

For more details and practical examples, see this blog post:

https://malwarelab.eu/posts/tryhackme-smb-decryption/

#networktrafficanalysis #networktraffic #encryption #netntlmv2 #netntlm #ntlm #windows #fileshare #pentesting #cybersecurity #hardening #password #cracking #offensivesecurity #offsec #blueteam #purpleteam

One example why to use strong #passwords for users who use file sharing over #SMB even when the file transfers are #encrypted.
If the SMB traffic is captured/eavesdropped, then the attacker can try to crack the user password.
The attacker is able to extract challenge/response values from the Session Setup and then use #passwordcracking tools such as #hashcat

If the attack is successful, the attacker will gain not only the access to the user account, but it is also possible to decrypt the captured SMB file transfers. There is lack of perfect forward secrecy in this encryption.

For more details and practical examples, see this blog post:

https://malwarelab.eu/posts/tryhackme-smb-decryption/

#networktrafficanalysis #networktraffic #encryption #netntlmv2 #netntlm #ntlm #windows #fileshare #pentesting #cybersecurity #hardening #password #cracking #offensivesecurity #offsec #blueteam #purpleteam

One example why to use strong #passwords for users who use file sharing over #SMB even when the file transfers are #encrypted.
If the SMB traffic is captured/eavesdropped, then the attacker can try to crack the user password.
The attacker is able to extract challenge/response values from the Session Setup and then use #passwordcracking tools such as #hashcat

If the attack is successful, the attacker will gain not only the access to the user account, but it is also possible to decrypt the captured SMB file transfers. There is lack of perfect forward secrecy in this encryption.

For more details and practical examples, see this blog post:

https://malwarelab.eu/posts/tryhackme-smb-decryption/

#networktrafficanalysis #networktraffic #encryption #netntlmv2 #netntlm #ntlm #windows #fileshare #pentesting #cybersecurity #hardening #password #cracking #offensivesecurity #offsec #blueteam #purpleteam

@tomshardware The only RTX A6000 hashcat benchmark I could find was from v6.1.1 @ 121.5GH/s, but still, that's enough poke to exhaust a full key space 10-char NTLM in 38 days.

#passwordcracking

No, NCSC¹, passphrases of only three (or even four) random words are not sufficient - unless the user knows that the password hashing method is a "slow" one (bad for the attacker). Which is rarely guaranteed.

1025 combinations -- six words from a pool of 20K words, or five words from a pool of 100K words -- should be considered the minimum.

¹https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words

#Passphrases
#PasswordCracking

No, NCSC¹, passphrases of only three (or even four) random words are not sufficient - unless the user knows that the password hashing method is a "slow" one (bad for the attacker). Which is rarely guaranteed.

1025 combinations -- six words from a pool of 20K words, or five words from a pool of 100K words -- should be considered the minimum.

¹https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words

#Passphrases
#PasswordCracking

No, NCSC¹, passphrases of only three (or even four) random words are not sufficient - unless the user knows that the password hashing method is a "slow" one (bad for the attacker). Which is rarely guaranteed.

1025 combinations -- six words from a pool of 20K words, or five words from a pool of 100K words -- should be considered the minimum.

¹https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words

#Passphrases
#PasswordCracking

No, NCSC¹, passphrases of only three (or even four) random words are not sufficient - unless the user knows that the password hashing method is a "slow" one (bad for the attacker). Which is rarely guaranteed.

1025 combinations -- six words from a pool of 20K words, or five words from a pool of 100K words -- should be considered the minimum.

¹https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words

#Passphrases
#PasswordCracking

No, NCSC¹, passphrases of only three (or even four) random words are not sufficient - unless the user knows that the password hashing method is a "slow" one (bad for the attacker). Which is rarely guaranteed.

1025 combinations -- six words from a pool of 20K words, or five words from a pool of 100K words -- should be considered the minimum.

¹https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words

#Passphrases
#PasswordCracking

Cracked the Plexus P/20 System V 2.0 descrypt password hashes seen on the recent Adrian's Digital Basement video: https://www.youtube.com/watch?v=iltZYXg5hZw

SLW/he1AY2Gzc:(empty password)
RvXYLt8J1q1bk:(empty password)
OPw8jjjhaQWHA:1/2pint
/oT1pXqoXqlns:1/2pint
xgik/arAJT7gM:1/2pint

"1/2pint" is in the rockyou.txt direct so #hashcat had nothing to do really. #passwordcracking #AdriansDigitalBasement

Cracked the Plexus P/20 System V 2.0 descrypt password hashes seen on the recent Adrian's Digital Basement video: https://www.youtube.com/watch?v=iltZYXg5hZw

SLW/he1AY2Gzc:(empty password)
RvXYLt8J1q1bk:(empty password)
OPw8jjjhaQWHA:1/2pint
/oT1pXqoXqlns:1/2pint
xgik/arAJT7gM:1/2pint

"1/2pint" is in the rockyou.txt direct so #hashcat had nothing to do really. #passwordcracking #AdriansDigitalBasement

Cracked the Plexus P/20 System V 2.0 descrypt password hashes seen on the recent Adrian's Digital Basement video: https://www.youtube.com/watch?v=iltZYXg5hZw

SLW/he1AY2Gzc:(empty password)
RvXYLt8J1q1bk:(empty password)
OPw8jjjhaQWHA:1/2pint
/oT1pXqoXqlns:1/2pint
xgik/arAJT7gM:1/2pint

"1/2pint" is in the rockyou.txt direct so #hashcat had nothing to do really. #passwordcracking #AdriansDigitalBasement

Cracked the Plexus P/20 System V 2.0 descrypt password hashes seen on the recent Adrian's Digital Basement video: https://www.youtube.com/watch?v=iltZYXg5hZw

SLW/he1AY2Gzc:(empty password)
RvXYLt8J1q1bk:(empty password)
OPw8jjjhaQWHA:1/2pint
/oT1pXqoXqlns:1/2pint
xgik/arAJT7gM:1/2pint

"1/2pint" is in the rockyou.txt direct so #hashcat had nothing to do really. #passwordcracking #AdriansDigitalBasement

Cracked the Plexus P/20 System V 2.0 descrypt password hashes seen on the recent Adrian's Digital Basement video: https://www.youtube.com/watch?v=iltZYXg5hZw

SLW/he1AY2Gzc:(empty password)
RvXYLt8J1q1bk:(empty password)
OPw8jjjhaQWHA:1/2pint
/oT1pXqoXqlns:1/2pint
xgik/arAJT7gM:1/2pint

"1/2pint" is in the rockyou.txt direct so #hashcat had nothing to do really. #passwordcracking #AdriansDigitalBasement

So @solardiz presented a talk on "Password cracking: past, present, future" at OffensiveCon last week. Definitely worth a read - bringing his usual disciplined thinking to a topic he knows very well.

He includes both historical and taxonomical perspectives, both of which I appreciate. Apparently, one of the first password-cracking contests was in 1982? (This was a password cracker contest - seeking the best cracking software!)

https://www.openwall.com/presentations/OffensiveCon2024-Password-Cracking/

[Will update post if video of the talk itself appears.]

#passwords #hashing
#PasswordCracking

Brute force password cracking takes longer than ever, according to Hive Systems' latest audit. #PasswordCracking #BruteForceAttacks #HiveSystems #PasswordHashing #CyberSecurity #bcrypt #MD5
thttps://www.blogger.com/blog/post/edit/2393063772924596666/7373948891148112675

Brute force password cracking takes longer than ever, according to Hive Systems' latest audit. #PasswordCracking #BruteForceAttacks #HiveSystems #PasswordHashing #CyberSecurity #bcrypt #MD5
thttps://www.blogger.com/blog/post/edit/2393063772924596666/7373948891148112675

#TeamHashcat is pleased to present our write-up for this year's @CrackMeIfYouCan contest at #Defcon31

📕 Read it here: https://raw.githubusercontent.com/hashcat/team-hashcat/59335b8cce61f567ae035b8ce47d84a79c3775ae/CMIYC2023/CMIYC2023TeamHashcatWriteup.pdf

#PasswordCracking #Hashcat #Defcon #CrackMeIfYouCan #Hacking #Infosec

Need a quick way to check a hash against a huge database?

I've written a small but flexible Go CLI tool to query the HashMob API.

It's actually pretty damn handy if I do say so myself.

If you find it useful, stars and boosts are much appreciated ❤️

https://github.com/n0kovo/gohashmob

(just starting to learn Go, don't judge my probably horrible code 🥹)

#hacking #infosec #tools #osint #passwordcracking #passwords #passwordsecurity #hashcracking #hashlookup #hashmob #md5 #sha1 #bcrypt #pentesting #bugbounty #redteam