Think your 12 character passwords are still strong enough? One of the top password cracking programs can now crack password up to 256 characters!
The 4.x release of Hashcat blows through the previous 32 character password cracking limit and can now crack up to 256 character passwords. It has been very helpful for working through Troy Hunt’s half a billion password hash release.
If you use the default or -w1 speed switch in Hashcat, it will now crack passwords up to 256 characters:
hashcat64 -D 2 –remove -m 100 massiveleak.txt rockyou.txt -o MassiveLeakCracked.txt -r rules/d3ad0ne.rule -w1 –gpu-temp-retain 75
If you use the -O switch, Hashcat will crack at a much faster rate, but will only be able to crack the traditional 32 and under length hashes:
As seen in the command below:
hashcat64 -D 2 –remove -m 100 massiveleak.txt rockyou.txt -o MassiveLeakCracked.txt -r rules/d3ad0ne.rule -O –gpu-temp-retain 75
Here are some of the large passwords (most likely unintentional junk) found in Troy Hunt’s 500 Million “Have I been Pwned” SHA1 password hash release:
12345Ð Ñ—Ð¡â€”Ð â€¦Ð Ñ—Ð¡â€”Ð â€¦Ð Ñ—Ð¡â€”Ð â€¦Ð Ñ—Ð¡â€”Ð â€¦Ð Ñ—Ð¡â€”Ð â€¦Ð Ñ—Ð¡â€”Ð â€¦Ð Ñ—Ð¡â€”Ð â€¦Ð Ñ—Ð¡â€”Ð â€¦Ð Ñ—Ð¡â€”Ð â€¦Ð Ñ—Ð¡â€”Ð â€¦
greens and water shine a place where a word friends speak to a thicket:
* The last one could have possibly contained actual account information so the website name and possible account information has been altered, but the style, layout and length have remained the same.
All of the passwords above except for one were recovered from using wordlists and rules together, so similar passwords were already in the wordlist. One was recovered by just daisy chaining together multiple repetitive binary strings.
There are some other odd returns found in the cracked hashes, ones that looked something similar to these:
I have never seen Hashcat do that before, but when they were decoded from Hex to Ascii they looked about right.
There are also a lot of jumbled together lines that include partial e-mails & passwords together. Some even include what appear to be phone numbers and outdated credit cards (any personal information has already been publicly dumped, some of it for years). Obviously, these weren’t used as passwords, but is just some of the malformed data mentioned on Troy’s blog. Some of these lines are extremely long, so it is impressive that Hashcat is able to recover them.
I am still working through the list, I’m just using a single GTX960 card so it is taking a while, but during the process I found Not so Secure’s “OneRuletoRuleThemAll” Hashcat rule extremely useful.
Thanks to Troy Hunt for releasing the 500 million password dump. As a security trainer, it is a lot of fun and great practice to run through the dump using Hashcat. Also, thanks for his work on the “Have I Been Pwned” website. If you want to see if any of your accounts are included in the dump, just visit the Have I Been Pwned Website.
If you need to crack very long complex passwords, give Hashcat a try!