01-01-2015, 07:59 AM
(01-01-2015, 07:30 AM)epixoip Wrote: You're not going to be able to brute force past 9 characters, let alone 32.
Epixoip is right. True brute forcing past about 8 characters is not practical. You'll hit a wall. See this Password cracking wall picture.
You'll have to be more intelligent about your attacks. Like many computer topics, there is some art mixed in with the science. There are many approaches to >8 character passwords. I've cracked some 16 character passwords. I didn't use brute force.
For the moment, and this will likely change, here is my approach:
1) Brute force 1-6 all characters (?a)
2) Brute force 7-8 only lowercase
3) Brute force 7-8 only uppercase
4) Brute force 3 letters + 4 digits
5) Brute force 1-12 digits only
6) Wordlists + above through best64 (and maybe d3ad0ne)
7) Hybrid - 2-3 digits or symbols to wordlists
8) Hybrid - 4 digits to wordlists
9) Hybrid - 3 digits or lowercase to wordlists
10) Hybrid - 1-2 symbols in front of wordlists
11) Take recovered and run Markov
Your card is better than mine, so you might take step 1 up to 7 characters. If so, adjust the other steps 2-4. And yes, there some overlap in step 5, but for me, the time lost re-checking those hashes is less than it would take to exclude them.