
Hashcat – advanced password recovery - gphilip
https://hashcat.net/hashcat/
======
braxxox
I made this a while back to ease the barrier to entry to Hashcat:
[https://github.com/brannondorsey/naive-
hashcat](https://github.com/brannondorsey/naive-hashcat)

Not that it's that big of a barrier, but it can be somewhat daunting to new
password crackers.

~~~
braxxox
Or, if you want to get experimental with it, I've been working on a
distributed browser password cracker here:
[https://github.com/brannondorsey/distributed-password-
cracki...](https://github.com/brannondorsey/distributed-password-cracking). It
can be embedded in websites to borrow your visitor's CPU cycles to crack md5
hashes.Note that it is very slow in comparison to Hashcat, but its a proof-of-
concept for something that I am hoping to soon add WebAssembly + WebGL GPGPU
cracking to.

~~~
j_s
Smells like in-browser cryptocurrency mining! Maybe you should compare notes.

[https://news.ycombinator.com/item?id=15528247](https://news.ycombinator.com/item?id=15528247)

[https://news.ycombinator.com/item?id=15470244](https://news.ycombinator.com/item?id=15470244)

[https://news.ycombinator.com/item?id=15333899](https://news.ycombinator.com/item?id=15333899)

[https://news.ycombinator.com/item?id=15270799](https://news.ycombinator.com/item?id=15270799)

[https://news.ycombinator.com/item?id=15246145](https://news.ycombinator.com/item?id=15246145)
<\- Show:CoinHive

[https://news.ycombinator.com/item?id=15124211](https://news.ycombinator.com/item?id=15124211)

(All 40+ comments within the past ~2 months)

------
yangl1996
Used Hashcat in the Student Cluster Competition[1] of SC16 conference. There
was a task where students were asked to recovery as many passwords as possible
from a vault consisting of md5crypt and bcrypt hashes[2]. The performance was
amazing - 8400k md5crypt per second with 2 NVIDIA K80.

I also profiled the code trying to discover possible optimizations, and found
that the code has been heavily optimized. Computation and data transfer are
well overlapped, so GPU utilization is pretty high. It's a really great tool.

[1]
[http://studentclustercompetition.us/2016/applications.html](http://studentclustercompetition.us/2016/applications.html)

[2]
[https://docs.google.com/document/d/1tXBy9-ajFtO_b8hvbuleqRbc...](https://docs.google.com/document/d/1tXBy9-ajFtO_b8hvbuleqRbcNYvgoGUQgvQN1vzPWHM/edit)

------
lossolo
I can recommend Hashcat, used it myself for cracking bitcoin wallet using
multiple GPUs. Great tool if you forget your password and it works with so
many applications/file formats.

~~~
cstrat
I thought cracking a bitcoin wallet was technically beyond the limitations of
today's computing power??

~~~
codefined
If you have enough of the bitcoin wallet, cracking the rest is possible with
todays resources.

If he was able to crack any random bitcoin wallet, I don't think he'd be
sharing it on this website.

~~~
dogma1138
You need the entire encrypted wallet so you can extract the password hash from
it even then you need to know your password to the point of only 3-4 variable
chars to be able to effectively crack it or use a pretty simple password that
is either moderately short Witt a small key space or is in a dictionary.

------
rsingla
When I was in undergraduate engineering (~3 years ago), hashcat was actually a
key part of some great computer security assignments. I'm happy to see it's
updated, although it was pretty solid when I had to use it!

------
nvusuvu
Will this work on a something like a 100 character plaintext password that was
written down with 3 transcription errors? Can it try all permutations of the
100 char password changing up to 3 characters at a time?

~~~
Damogran6
almost. You can write a script (language of choice) swapping out three letters
at a time to create a custom dictionary...hashcat doesn't do it, the
dictionary you feed it does.

------
TwoBit
Last time I tried Hashcat, it didn't support my 18 character password.

~~~
web007
It does now - that's one of the main features in 4.0. They rewrote the CL hash
engine to work modularly, which gives up some hand-optimized speed in exchange
for simpler code and longer password support. 3.x supports 16 chars, with some
hashes supporting up to 32 chars. 4.x supports 256 chars across the board.

Full details at
[https://hashcat.net/forum/thread-6965.html](https://hashcat.net/forum/thread-6965.html)

------
jopsen
This reminds me to move to passwordstore with a gpg key on an Yubikey.

~~~
rurban
I hope you remember that GPG keys created on a Yubikey are unsafe, due to an
overly simply RSAlib implementation there for their Infinion chips.

~~~
JshWright
Keys created on _some_ Yubikeys (it's easy enough to check).

~~~
xelxebar
I've had a really hard time finding information on this. What exactly is
potentially broken and how do I check my key?

~~~
JshWright
[https://www.yubico.com/2017/10/infineon-rsa-key-
generation-i...](https://www.yubico.com/2017/10/infineon-rsa-key-generation-
issue/)

~~~
xelxebar
Oh dang. You're quick. Thanks!

------
kensai
I love the thermal watchdog feature!

