@noorul - Yeah, I don’t know. I’d have to look at the wordlist and see how long it would take to generate strings from it.

@noorul - Only if you control the tool. (Thus the conundrum.)

I would never submit my password to a “password testing site”. But when you test it yourself, you have massive selection bias.

Ideally, use a perfectly random password (stored in a password mananger). Max length that a website or service will accept. And use multifactor authentication.

Just cracked an 18 character password.

It was a two word combo that was in one of my dictionary files as a single entry followed by 9 numbers. The first letter was capitalized.

Gotta love dictionary + rule attacks.

Don't have enough money for a GPU Hashcracker?
Spin one up in AWS*!

Guess every 8 character (Upper, Lower, Number, Symbol) password** in 3 hours, 10 minutes!

Not bad for $25 an hour.
* p3.16xlarge 8x Tesla V100 GPU Instance
** NTLM (Windows) Hash

I sit, cross-legged, in the midst of a mighty gale. The salted shards of water & sand buffet against my teeth & open mouth, my laughter lost to the wind.

All I see is turmoil; all I hear is roar; all I feel is chaos.

I sing the praises of Eris, my goddess, for this joy of life.

@superruserr - That sucks. Could the cut fingers be splits from dry skin?

In any case, hope the day gets better!

@donblanco - As long as its encrypted, you’re fine. For home networks, make sure your wifi password is long.

@paco - If they got access to /etc/passwd file that you were using and used it to privilege escalate or make lateral movements, then I’d imagine you’d care.

Similar with corporate environments who use NTLM for localhost password storage or Active Directory authentication and have a corporate policy that allows for a minimum of eight character passwords.

This matters precisely because it is still in widespread use.

@grumpy_developer@mastodon.technology - Not for an offline attack such as the one described.

@proxeus - This is for an offline attack where a cracker has access to the password hash. Results are consistent.

@tleydxdy - I dont have an accurate benchmark, but I’d estimate several hours to a day or two at max.

@loke - Don’t think so... even slow hashes may take days at maximum. Still within an attacker’s time budget. Benchmarks will tell for certain though!

@Siphonay @piggo - Those are protections against online attacks. This is an offline attack where a cracker gets access to the hash first and then moves the hash onto their own computers to crack.

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.