Do you still think your 12-character password is very secure? Come on, top password crackers can easily crack passwords up to 256 characters long.
PS: This article is only for technical discussion and sharing, and is strictly prohibited for any illegal use
With the release of Hashcat 4.x, the previous 32-character password cracking limit no longer exists, and now Hashcat 4.x version supports password cracking up to 256 characters in length. Coupled with the hundreds of millions of password hashes released by Troy Hunt, our lives will become easier.
If you are using the default or -w1 command in Hashcat, it will support password cracking up to 256 characters long:
hashcat64 -D 2 –remove -m 100 massiveleak.txt rockyou.txt -o MassiveLeakCracked.txt -rrules/d3ad0ne.rule -w1 –gpu-temp-retain 75
If you use the -O parameter, Hashcat will crack passwords faster, but this function only supports cracking traditional 32-bit length passwords:
The relevant commands are as follows:
hashcat64 -D 2 –remove -m 100 massiveleak.txt rockyou.txt -o MassiveLeakCracked.txt -rrules/d3ad0ne.rule -O –gpu-temp-retain 75Here are some high digit passwords (SHA1 password hashes) we found in the Troy Hunt password table (which contains SHA1 password hashes from the website "Have I been Pwned"):
24пїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅ
ðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅ
●:●:●:●:●:●:●:●:●:●:●:●:●:●:●:●:●:●:●:●:●:●:
12345ÐїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Ð…РїС—Р…РїС—Р…РїС—Р…РїС—Р…The last password hash may contain information about the website's real account, so the website name and account information have been obfuscated, but the password format and length are still the same as the original.
Except for one of the passwords given above, all other passwords can be cracked using dictionaries and rules, so similar passwords are already in the dictionary file, and one of them can be solved by combining multiple repeated binary passwords. String concatenation for password cracking.
We also found some very strange password formats in the cracked password hashes, similar to the following:
$HEX[ab32d4c1334455]d]9]
$HEX[abcbdb1212121212]4]f6d]I've never seen anything like this in Hashcat before, but after decoding it using hex to ASCII, the content is still readable.
In fact, the password table also contains many real email addresses and corresponding passwords, and some even contain the user's mobile phone number and credit card information. Obviously, these are not passwords in the original sense, and according to Troy's description, these are some type of "malformed data". As you may have seen, some of the password hashes given above are very long, so I am personally surprised that Hashcat can recover such long passwords.
Since I only have a GTX960 on hand, the password cracking time will take a little longer, but during the whole password cracking process, I found that Not soSecure's " OneRuletoRuleThemAll " Hashcat rule is indeed very powerful, and it has provided me with great help.
Thanks to Troy Hunt for publishing more than 500 million password hashes, as a security trainer, I highly recommend using Hashcat for password cracking exercises. In addition to this, we would like to thank the "Have I Been Pwned" website for the information. If you want to know if your account or password is also in this password hash table, you can go directly to the Have I Been Pwned website.
If you want to crack long and complex passwords, Hashcat is definitely what you need to try.
* Reference source: cyberarms , compiled by FB editor Alpha_h4ck, please indicate from FreeBuf.COM