07-30-2020, 10:56 PM

07-30-2020, 11:19 PM

07-31-2020, 12:55 AM

Wow great I just spent 6k on a rig and the software doesn't even do what it's supposed to do

07-31-2020, 08:37 AM

The good thing about mathematics is that it's very easy to see if something is proven to be impossible / infeasible, the values and results of calculations are hard facts, very easy to spot how huge they are and how fast they grow with increased input (length / size).

You just need to grasp some very basic mathematical concepts like multiplication (and maybe exponentials, but not really necessary to see the infeasibility in this case).

Even for a very fast hash (like NTLM), we normally say that it starts to become impossible to crack hashes (depending a little bit also on your hardware, but again it's mostly just the keyspace that matter a lot because it inceases very fast) with around 8-9 random character brute-force (?a).

Just do the math for this example: 8 x ?a => ?a?a?a?a?a?a?a?a , we get a keyspace of (26 + 26 + 10 + 33) ^ 8 = 95 * 95 * 95 * 95 * 95 * 95 * 95 * 95 = 6,634,204,312,890,625

This is already a very huge number, even for a fast hash.

Now, just think about what happens if we add another character (?a = ?l?u?d?s) to it... yeah in multiplies by 95 again.... so almost one hundred times larger than the original keyspace. We say that with increased password length the keyspace grows "exponentially". We are now at 95 ^ 9 = 630,249,409,724,609,375 and this are "only" 9 random characters.

Just think about how mathematically large your keyspace is with 22-23 characters. It's tremendously huge. It's too huge, infeasible. It doesn't matter what software you use if something is mathematically out of reach.

If you think deeply about these concepts, the cracking software only changes a constant factor, the hashing speed. It's an important factor, but again it doesn't really make something impossible suddently possible to crack or something infeasible suddently feasible.

If the mathematical calculation tells you that your calculated keyspace value (total number of password candidates to test) is larger than all grains of sand in the universe, you should notice that something isn't quite right and that it's not possible. A larger number for your keyspace result than atoms on the earth doesn't really look promising.

Cracking a 22-23 character random password (even with this very small, negligible, reduction because of custom charsets) also falls in that category of infeasible and too huge things, mathematically. It doesn't really matter which software you use. The software only can change the speed by a constant C and the range of C is also relatively tight across cracking tools. The C value (and therefore the speed) doesn't make impossible things suddently possible, uncrackable hashes, suddently crackable.

That said, if the passwords were not 100% randomly generated but chosen by humans etc, there might be the chance of other more clever and efficient attacks... but 22-23 random character long passwords will always be hard to crack if the hashing algorithm is not completely flawed/broken.

Just think again about it: you are trying to crack a "random" 22 character long password with a brute-force attack for which each and every character must be combined with other 21 "random" characters and each and every combination of those charsets must be tested. This is just insane, not only from a mathematical standpoint.

You just need to grasp some very basic mathematical concepts like multiplication (and maybe exponentials, but not really necessary to see the infeasibility in this case).

Even for a very fast hash (like NTLM), we normally say that it starts to become impossible to crack hashes (depending a little bit also on your hardware, but again it's mostly just the keyspace that matter a lot because it inceases very fast) with around 8-9 random character brute-force (?a).

Just do the math for this example: 8 x ?a => ?a?a?a?a?a?a?a?a , we get a keyspace of (26 + 26 + 10 + 33) ^ 8 = 95 * 95 * 95 * 95 * 95 * 95 * 95 * 95 = 6,634,204,312,890,625

This is already a very huge number, even for a fast hash.

Now, just think about what happens if we add another character (?a = ?l?u?d?s) to it... yeah in multiplies by 95 again.... so almost one hundred times larger than the original keyspace. We say that with increased password length the keyspace grows "exponentially". We are now at 95 ^ 9 = 630,249,409,724,609,375 and this are "only" 9 random characters.

Just think about how mathematically large your keyspace is with 22-23 characters. It's tremendously huge. It's too huge, infeasible. It doesn't matter what software you use if something is mathematically out of reach.

If you think deeply about these concepts, the cracking software only changes a constant factor, the hashing speed. It's an important factor, but again it doesn't really make something impossible suddently possible to crack or something infeasible suddently feasible.

If the mathematical calculation tells you that your calculated keyspace value (total number of password candidates to test) is larger than all grains of sand in the universe, you should notice that something isn't quite right and that it's not possible. A larger number for your keyspace result than atoms on the earth doesn't really look promising.

Cracking a 22-23 character random password (even with this very small, negligible, reduction because of custom charsets) also falls in that category of infeasible and too huge things, mathematically. It doesn't really matter which software you use. The software only can change the speed by a constant C and the range of C is also relatively tight across cracking tools. The C value (and therefore the speed) doesn't make impossible things suddently possible, uncrackable hashes, suddently crackable.

That said, if the passwords were not 100% randomly generated but chosen by humans etc, there might be the chance of other more clever and efficient attacks... but 22-23 random character long passwords will always be hard to crack if the hashing algorithm is not completely flawed/broken.

Just think again about it: you are trying to crack a "random" 22 character long password with a brute-force attack for which each and every character must be combined with other 21 "random" characters and each and every combination of those charsets must be tested. This is just insane, not only from a mathematical standpoint.