hashcat Forum

Full Version: Speed 8 characters
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I'm not used to perform brute force actions and I know complex random passwords with a lot of charatcers are impossible to crack but i thougt 8 characters would still be possible.

I'm trying out a captured handshake with a password of 8 characters (up/lower case + digits).

hashcat -m 22000 313463_1717752017.hc22000 -a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1

I have an RTX 3070 but eta is still 10+ years. Is it me doing something wrong or is this normal?

Session..........: hashcat
Status...........: Running
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: 313463_1717752017.hc22000
Time.Started.....: Fri Jun 07 12:39:29 2024 (1 min, 4 secs)
Time.Estimated...: Next Big Bang (> 10 years)
Yep, that's perfectly normal. As you say, randomly generated passwords are very secure. It'd take around 3 years on an RTX 4090
Ok thanks, I wasnt sure because of some charts on some infosec sites state that an 8 and even 9 character long password (alphanumeric + symbols) password can be forced fast. It seems they are exaggerating :p
(06-07-2024, 01:21 PM)Drbrakbek Wrote: [ -> ]Ok thanks, I wasnt sure because of some charts on some infosec sites state that an 8 and even 9 character long password (alphanumeric + symbols) password can be forced fast. It seems they are exaggerating :p

Yeah. They're generally awful although they may be talking about a different algorithm. WPA is tens of thousands of times slower than MD5, for example
8-9 character passwords are very insecure unless they are completely random. So you better define what you exactly mean with a "complex password".
Trying all possible combinations with a simple mask like that is extremely inefficient and is only needed if 8-9 character passwords are indeed truly random and computer generated.
To give you an example, if a user types a random passwords, keys are often adjacent, some are more frequent than others and caps and numbers are often grouped together. So it easy enough to hack up to a length of 12 characters or so of 'semi randomly typed' passwords. Most users don't even bother to try to be random, so with a dictionary or mask, followed with some rules, most 8-9 character passwords are hack-able i seconds to minutes since they follow predictable patterns and use words or at least syllables.
My bad, I see you mention "complex random passwords". Indeed, that explodes in possibilities.
You need to analyze the passwords from your access point.
Because in some cases there are key generators written in python.
There is a very good person on github
PlumLulz
He creates such generators.