I know how huge the load would become with 3 word being shuffled around but with smaller and more targeted wordlist it would become feasible.
but I had this idea where the brute force mode could use a new option.
we now have ?a,?l,?u?d,?s
we could add ?w (w for words)
so instead of a charset, words would be concatenated in all their possible values.
options could be stuff like :
words chosen len min and max
total phrase len min and max
The idea here is to go against all those long but simple passphrase, also during my cracking I find a lot of people concatenating words for passwords like (these arent real but they look like the one ive seen) :
michellestevejason
balloondogcloud
redwhiteblue
onetwothreefourfive
etc...
anyways its just a suggestion. I wanted to make my own but the
generated list are getting big and this is alot of work for something so simple.
ps: this forums is addictive
yeah thats where I got the idea. my fix was to combine a few words and then use the combinator.
so first I build my 2 words list and then I use the combinator with a 1word list so that I get the 3 word list.
but its still a long process. but yeah its my problem lol thanx for suggesting
I like that idea, the question is just how to do it without loosing performance compared to the current ones. For slow hashes it doesn't matter, but the fast hashes... Maybe I have an idea sometime how to do it without performance loss and then I will switch -a6 and -a7 to that..
Earlier on, seeing that those file cracking programs had built in support for combining words, I asked about this, too, for the hashcats.
But, more recently, presented in themes at those password conferences, and written about by Ars Techinca, phrases gathered from Wikimedia sites and others, like "thereisnofatebutwhatwemake" have been found to be the bases for pass phrases.
Those types of lists are more likely to find passwords than just random words put together.
My appoach now is to handle those lists apart from the hashcats, then present them as if they were passwords, to the usual mangling.
Oh no, sorry, I just was talking about the ?w thing. That's the interessting part. For combinator stuff use combinator.bin from hashcat-utils in combination with -a1 attack for full performance
I was trying to interject the idea that rather than combining various words from word lists, collections of phrases actually used may do better.
Seeing the $w reminded me of how the file cracker programs typically can pull words from four dictionaries, $w, $x, $y, $z. I had asked if the hashcats could do something similar, which it can do with two dictionaries.
But the combinator attack runs slow, at least on my hardware. Attacks that could yield the "Sup3rThinkers" and "momof3g8kids" combinations would take too long. Running big lists through simple mangles is much faster.
It is unlikely that just combining word lists would yield "thereisnofatebutwhatwemake".
yeah maybe theresisnofatebutwhatwemake wouldnt come up but we could get a lot of other sentences using very specific list to build sentences.
example:
List A : List of article (a, the, an etc...) + List of pronouns( I, you, they, we)
List B : list of nouns
List C : list of possible variation of the be verb ( am, is, are, etc...)
List D : list of adjective
so the final pattern could be : bruteforce of all the possible combination of A B C D
this is a simple example but its only a start, from this you could devise different sentence pattern and instead of bruteforcing a whole list of words you would instead push for a logical ensemble.
this is exactly why I was asking for that feature
In some long ago posts I made to these forums, I suggested using the corpora that the linguists compile, from actually used phases. Then more recently, at those password conferences, researchers like joshdustin and IT3700 presented how mining online sources like Wikipedia and Project Gutenberg yield popular phases that people are more likely to use as the basis for pass phrases.
The "secret sauce" I don't know is how to rank known phrases in their likelihood to become passwords.
My belief is that already existent phases are more likely to be used than random words thrown together.
I have posted requests here for more info from those doing those types of attacks.
please use combinator.bin in combination with -a1 combinator attack.