+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Speed 8 characters (/thread-12022.html)
Speed 8 characters - Drbrakbek - 06-07-2024
I'm not used to perform brute force actions and I know complex random passwords with a lot of charatcers are impossible to crack but i thougt 8 characters would still be possible.
I'm trying out a captured handshake with a password of 8 characters (up/lower case + digits).
hashcat -m 22000 313463_1717752017.hc22000 -a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1
I have an RTX 3070 but eta is still 10+ years. Is it me doing something wrong or is this normal?
Session..........: hashcat
Status...........: Running
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: 313463_1717752017.hc22000
Time.Started.....: Fri Jun 07 12:39:29 2024 (1 min, 4 secs)
Time.Estimated...: Next Big Bang (> 10 years)
RE: Speed 8 characters - penguinkeeper - 06-07-2024
Yep, that's perfectly normal. As you say, randomly generated passwords are very secure. It'd take around 3 years on an RTX 4090
RE: Speed 8 characters - Drbrakbek - 06-07-2024
Ok thanks, I wasnt sure because of some charts on some infosec sites state that an 8 and even 9 character long password (alphanumeric + symbols) password can be forced fast. It seems they are exaggerating :p
RE: Speed 8 characters - penguinkeeper - 06-07-2024
(06-07-2024, 01:21 PM)Drbrakbek Wrote: Ok thanks, I wasnt sure because of some charts on some infosec sites state that an 8 and even 9 character long password (alphanumeric + symbols) password can be forced fast. It seems they are exaggerating :p
Yeah. They're generally awful although they may be talking about a different algorithm. WPA is tens of thousands of times slower than MD5, for example
RE: Speed 8 characters - monyanus - 06-09-2024
8-9 character passwords are very insecure unless they are completely random. So you better define what you exactly mean with a "complex password".
Trying all possible combinations with a simple mask like that is extremely inefficient and is only needed if 8-9 character passwords are indeed truly random and computer generated.
To give you an example, if a user types a random passwords, keys are often adjacent, some are more frequent than others and caps and numbers are often grouped together. So it easy enough to hack up to a length of 12 characters or so of 'semi randomly typed' passwords. Most users don't even bother to try to be random, so with a dictionary or mask, followed with some rules, most 8-9 character passwords are hack-able i seconds to minutes since they follow predictable patterns and use words or at least syllables.
RE: Speed 8 characters - monyanus - 06-10-2024
My bad, I see you mention "complex random passwords". Indeed, that explodes in possibilities.
RE: Speed 8 characters - 174region174 - 06-11-2024
You need to analyze the passwords from your access point.
Because in some cases there are key generators written in python.
There is a very good person on github
PlumLulz
He creates such generators.