PHD hashrunner 2013
#3
(05-27-2013, 12:34 PM)atom Wrote: Password pattern do not mirror a real-life situation in a pentest

In real-life situation you do not crack 100% of an unknown list. Especially not if it is salted, highly-iterated or use bcrypt or sha512crypt.


True, but as someone on the receiving end of security advice from pentesters and security consultants, I often hear that users will choose passwords that follow common patterns.
So even if you won't crack everything with a single pattern, you should be able to cover a lot by finding a few patterns.
Specifically, I'm thinking of the claims that users will form their passwords according to whatever policy is enforced on them (ie. the classic example Password01, with capital first, and digits at the end.).


Messages In This Thread
PHD hashrunner 2013 - by atom - 05-27-2013, 12:34 PM
RE: PHD hashrunner 2013 - by thorsheim - 05-27-2013, 12:59 PM
RE: PHD hashrunner 2013 - by Itinsecurity - 05-27-2013, 02:00 PM
RE: PHD hashrunner 2013 - by Sc00bz - 05-27-2013, 02:13 PM
RE: PHD hashrunner 2013 - by KT819GM - 05-27-2013, 03:07 PM
RE: PHD hashrunner 2013 - by halfie - 05-28-2013, 09:19 AM
RE: PHD hashrunner 2013 - by plan2000 - 05-27-2013, 04:04 PM
RE: PHD hashrunner 2013 - by epixoip - 05-27-2013, 05:20 PM
RE: PHD hashrunner 2013 - by Kuci - 05-27-2013, 07:10 PM
RE: PHD hashrunner 2013 - by K9 - 05-27-2013, 10:46 PM
RE: PHD hashrunner 2013 - by hashrunner - 05-28-2013, 10:22 AM
RE: PHD hashrunner 2013 - by mastercracker - 05-28-2013, 06:29 PM
RE: PHD hashrunner 2013 - by epixoip - 05-28-2013, 06:35 PM
RE: PHD hashrunner 2013 - by mastercracker - 05-28-2013, 07:29 PM
RE: PHD hashrunner 2013 - by atom - 05-28-2013, 08:34 PM
RE: PHD hashrunner 2013 - by Rolf - 05-29-2013, 01:11 AM
RE: PHD hashrunner 2013 - by epixoip - 05-29-2013, 02:07 AM