Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
bolha.us is one of the many independent Mastodon servers you can use to participate in the fediverse.
We're a Brazilian IT Community. We love IT/DevOps/Cloud, but we also love to talk about life, the universe, and more. | Nós somos uma comunidade de TI Brasileira, gostamos de Dev/DevOps/Cloud e mais!

Administered by:

Server stats:

251
active users

bolha.us: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#passwordcracking

2 posts2 participants0 posts today
Royce Williams<p>TIL if you generate and store all even <em>faintly</em> possible IPv4 IPs - 0.0.0.0 through 255.255.255.255 - as ASCII strings ... it takes about 58GB.</p><p>This is a <a href="https://infosec.exchange/tags/HaveIBeenPwned" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HaveIBeenPwned</span></a> subtoot. 😜 </p><p><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PasswordCracking</span></a></p>
Royce Williams<p>Password crackers:</p><p>If you're still mashing up all of your wordlists into a single monolithic file for deduplication purposes ... let me suggest an option that scales better, simply by approaching the problem differently:</p><p>Deduplicate each new source as it arrives, and then add it to a repository, by removing all strings already in your repository ...and then <em>preserve it as a separate file</em>! (You might call this the "sort once, deduplicate often" method.)</p><p><a href="https://blog.techsolvency.com/2025/04/managing-unique-wordlists-password-cracking.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.techsolvency.com/2025/04/</span><span class="invisible">managing-unique-wordlists-password-cracking.html</span></a></p><p>The key benefit: the memory usage required is a factor of the size of the new file alone, rather than of the entire corpus.</p><p>Also useful for other medium-sized "dedupe a recurring stream of new sets of strings over time" use cases.</p><p>(And if you're not doing this anymore, now you have a reference to share with the folks who still are!)</p><p><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PasswordCracking</span></a></p>
Will Hunt<p>Top <a href="https://infosec.exchange/tags/hashcat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hashcat</span></a> tip:</p><p>Want per-position duplication in your rules to leverage your GPU?</p><p>It's not available in a single op, but you can emulate it by incrementally duplicating the first N chars, and then incrementally deleting the position and frequency of the redundant characters</p><p><a href="https://infosec.exchange/tags/password" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>password</span></a> <a href="https://infosec.exchange/tags/passwordcracking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>passwordcracking</span></a> <a href="https://infosec.exchange/tags/pentest" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>pentest</span></a> <a href="https://infosec.exchange/tags/redteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>redteam</span></a></p>
Royce Williams<p>If you need to sort and dedupe a ton of strings/records, Cynosure Prime member blazer has released rlite, a 'lite' version of rling. I helped debug early versions. A nice balance of performant and simple, but with useful knobs like frequency counting, writing dupes to another file, etc.</p><p>(And heavy on the 'performant' - multi-threaded sort + dedupe time for 1.4B records in a 16GB file is 45 seconds on 48 EPYC 7642 cores, and uses 26GB of RAM)</p><p><a href="https://github.com/Cynosureprime/rlite" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/Cynosureprime/rlite</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PasswordCracking</span></a></p>
Royce Williams<p>Next time password cracking comes up conversationally and someone says "And can't you can just use rainbow tables" ... send them this.</p><p><a href="https://hashcat.net/faq/rainbowtables" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hashcat.net/faq/rainbowtables</span><span class="invisible"></span></a></p><p>tl;dr They are only worthwhile in a very specific (and rare) set of circumstances.</p><p><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PasswordCracking</span></a> <a href="https://infosec.exchange/tags/RainbowTables" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RainbowTables</span></a></p>
Royce Williams<p>Today's traditional UNIX crypt / descrypt / hashcat -m 1500 trivia.</p><p>if you see a descrypt crack ending in <code>\x8a</code> ... no you didn't.</p><p>These actually end in <code>\x0a</code> -- descrypt drops all high bits, turning <code>\x8a</code> into <code>\x0a</code>!</p><p><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PasswordCracking</span></a></p>
Royce Williams<p>Password cracking tip: </p><p>Grow your ability to understand the math of your attack space.</p><p>One nice way to practice this: for a given attack, use Wolfram Alpha (or a calculator, etc.) to roughly confirm the math of your tool's ETA for your attack.</p><p>If they don't match, check your assumptions, your setup, or your understanding until they do.</p><p>In this example, the total number of guesses scheduled for this attack will take these two GPUs, running at the hashrate shown, a little under 46 days to complete.</p><p><a href="https://wolframalpha.com/input?i=%281408965009*47622827%29+%2F+%2816989*1000000*60*60*24%29" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">wolframalpha.com/input?i=%2814</span><span class="invisible">08965009*47622827%29+%2F+%2816989*1000000*60*60*24%29</span></a></p><p>Practicing this estimation until you can do it very "back of the napkin" / order of magnitude in your head is valuable, just as it is with any "large numbers" effort / industry / exercise.</p><p><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PasswordCracking</span></a> <a href="https://infosec.exchange/tags/hashcat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hashcat</span></a></p>
Royce Williams<p>No, NCSC¹, passphrases of only three (or even four) random words are not sufficient - unless the user <em>knows</em> that the password hashing method is a "slow" one (bad for the attacker). Which is rarely guaranteed.</p><p>1025 combinations -- six words from a pool of 20K words, or five words from a pool of 100K words -- should be considered the minimum.</p><p>¹<a href="https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">ncsc.gov.uk/collection/top-tip</span><span class="invisible">s-for-staying-secure-online/three-random-words</span></a></p><p><a href="https://infosec.exchange/tags/Passphrases" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passphrases</span></a><br><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PasswordCracking</span></a></p>
ExploreLive feeds
About