(01-06-2013, 01:53 PM)epixoip Wrote: [ -> ]there's always a tradeoff, and a small loss of speed is an acceptable tradeoff to make something more flexible and more powerful. speed isn't everything.
Totally aggree
There is little point having the fastest cracker if you are unable to test the full length of the password.
My main interest is WPA and so I can only comment on that really. I have a free version of a now comercial GPU WPA cracking software which can test the full password range, 63 characters. I don't see much of a drop in performace compared to hashcat-plus so it is possible to do. The only downside to this other software I have is that it doesn't have the quality of "rule" support that hashcat-plus has.
It is interesting to consider some very simple passphrases just to see how quickly the 15 character limitation is reached.
this is my password
administrator password
administrator123
123administrator
administratorabc
administrator2000
please let me in
my name is stephen
my secret password
password for my computer
my wifi password
my router password
my computer password
etc...
This also in -a 1 ? this is why using it I got this Rejected.......: 5646663680/155026718720 (3.64%) ?
then how test > 15 chars? Only with -a 0 and -a 6 and -a 7 ?
(01-06-2013, 01:45 PM)K9 Wrote: [ -> ]It would be really useful for -a1. However this limit was set to increase the speed iirc. Since most passwords are lenght 6-8 its better to have a fast oclhashcat with limits than a slow one without limits.
I think there is a misunderstanding. The performance increase based on the limitation is for fast hashes only. WPA and other slow algorithms are not affected.
(01-07-2013, 11:09 AM)atom Wrote: [ -> ]I think there is a misunderstanding. The performance increase based on the limitation is for fast hashes only. WPA and other slow algorithms are not affected.
Ah, thank you for that atom, it makes sense.
As I mentioned earlier, I don't understand the complexities of adding this feature, but is it still very hard to do as there have been many changes to hashcat-plus since I first asked about it ?
The structure of the program changed a lot, that is true, but regarding to the length limitation there was no change.
Thanks atom
Do you mind if I add the request to the wiki again ?
I would like to add it to the "Pending - Under Consideration" section, if that's ok ?
I want also to give my point to increase the limitation, I realised that in hashcatcli I can test passwords with > 15 char but is quite time consuming using -a 1, I saw that a lot hashes are hashes that were hashed or even were hashes and were prepended with a word.
I got this hash today using hahcatcli
XX85410XbdXa87X40X7b6Xf8bX390da5:$1$eZFf3aSX$UCbHAQm7t1q/ZDCTSCmq
there others with a word at the end. using a wordlist of a few kb with hashcat using mode -a 1 will take ours.
(01-08-2013, 02:51 PM)Hash-IT Wrote: [ -> ]Thanks atom
Do you mind if I add the request to the wiki again ?
I would like to add it to the "Pending - Under Consideration" section, if that's ok ?
I pulled this from
https://thepasswordproject.com/ (its inactive now).
Basically they posted every major leak and analyzed passwords. I copied length frequency in passwords table.
Code:
+-----------------------------+
| Length | Count | Of total |
+-----------------------------+
| 1 | 115 | 0.026 % |
| 2 | 66 | 0.0149 % |
| 3 | 302 | 0.0682 % |
| 4 | 2746 | 0.6201 % |
| 5 | 5324 | 1.2023 % |
| 6 | 79649 | 17.9863 % |
| 7 | 65653 | 14.8257 % |
| 8 | 119212 | 26.9204 % |
| 9 | 66056 | 14.9167 % |
| 10 | 54814 | 12.3781 % |
| 11 | 21259 | 4.8007 % |
| 12 | 21784 | 4.9192 % |
| 13 | 2584 | 0.5835 % |
| 14 | 1432 | 0.3234 % |
| 15 | 772 | 0.1743 % |
| 16 | 440 | 0.0994 % |
| 17 | 251 | 0.0567 % |
| 18 | 115 | 0.026 % |
| 19 | 77 | 0.0174 % |
| 20 | 168 | 0.0379 % |
| 21 | 5 | 0.0011 % |
| 22 | 3 | 0.0007 % |
| 24 | 1 | 0.0002 % |
| 28 | 1 | 0.0002 % |
| 29 | 2 | 0.0005 % |
| 30 | 1 | 0.0002 % |
+-----------------------------+
@skalderis
Thanks for the table.
This isn't a criticism and I also don't want to sound ungrateful. However as the passwords on that list are only the ones that were found, I wonder how many of the "not found" hashes were > 15 characters in length ?
All I am suggesting is that it may be a sort of self fulfilling prophecy. I am an uncomplicated sort of chap, so I may be completely wrong
(01-09-2013, 01:33 AM)Hash-IT Wrote: [ -> ]However as the passwords on that list are only the ones that were found, I wonder how many of the "not found" hashes were > 15 characters in length?
precisely. what that table really demonstrates is the likeliness of a long password being cracked with current methods and software.
it's not that users aren't selecting long passwords, it's that we aren't cracking them. yes, the majority of users select a password 6-8 characters long. but with each leak there's always that 10% we cannot crack. and with all these highly-publicized leaks lately, it has reminded people that they need to choose longer passwords.