#2,955 in Computers & technology books
Use arrows to jump to the previous/next product
Reddit mentions of Hash Crack: Password Cracking Manual (v2)
Sentiment score: 1
Reddit mentions: 1
We found 1 Reddit mentions of Hash Crack: Password Cracking Manual (v2). Here are the top ones.
or
Specs:
| Height | 8.5 Inches |
| Length | 5.5 Inches |
| Number of items | 1 |
| Weight | 0.31 Pounds |
| Width | 0.24 Inches |
I have some experience with attacking password hashes and I want to clear a few things up regarding password strength. While I'm by no means an expert, I have actually performed these attacks against passwords I've generated and hashed myself.
It seems like the linked source is mostly talking about how long it takes to brute-force, which is far from the only way to get a password. I did check the expected brute-force times and they are mostly accurate, but they are certainly falling behind. My GTX 1070 is expected to crack all 8-character md5 hashes in about 4.5 days at 16 gigahashes/second compared to the 2015 estimate they used of 11 GH/s. It's no quad-TitanX build, but it's strong enough to illustrate the widening gap.
But I think it's important to understand that real password attacks are much, much more sophisticated than a raw brute-force, and keyspace can be drastically reduced by taking advantage of the flawed ways that people try to "strengthen" their passwords. I'll bold it so it's clear: Number of characters is not an effective assessment of password strength unless they are generated randomly. Let's use some of the passwords from the source as examples. "security1" is an uncommon English word with one number - a common password pattern and an easy dictionary+digit mask attack. "P@ssw0rD", aside from likely being in many top X password wordlists itself since it's a mutation of "password", is a common word with the first and last letters capitalized and has a few very common replacements(a->@ and o->0), and would easily be caught in a dictionary+rule attack. It doesn't matter that your password is 10 characters long when it's a somewhat common 6-character name + a year. Massive real-world password dumps like rockyou also change things significantly and make raw wordlist and wordlist+rule or mask attacks much more effective.
The hashcat wiki has a lot of information about intelligent attacks against password hashes. There is also a great book about it, Hash Crack.
As you mentioned, diceware is one of the best ways to generate a passphrase, with a keyspace of 7776^(number of words), assuming that we know that it's a diceware password. Five words is stronger than most real passwords. Seven to ten words is basically uncrackable with current technology and should stay that way for a few years. Best of all, it's very easy to remember.