12-16-2021, 06:49 AM
Thanks everyone! I felt a lot of relief because of this.
Answers to some of the questions.
1. Length of password: It was 12 characters. A few characters, a word and numbers and characters.
2: Hardware spec: old i5 laptop. I read that the scrypt encryption limits usability of GPU so just used CPU.
3: The rules files really saves you. Its also I think how people intuitively generate their own passwords so it makes sense to use that approach if you can go through the short learning curve.
Instead of the mask system, the rules made more sense because what was more common was the type of characters I used and their placement in my passwords as opposed to the length of the password.
The common passwords ranged from 8 to 16 characters but that all depended on the amount of characters or numbers at the start or end of the specific word.
And each word had different lengths. In this case the rules makes more sense.
To make my rules list I opened my last saved passwords from the last 5 years that I had either written down or saved in chrome auto-save (bad practice, I know) and created two text files. One was the "text.txt" file that had my base words. and the second was the rules.txt file. In my post above I mentioned the Hashcat command to generate a password output text file of every possible combination using my base words and all the special rules.
I had more combinations than this rules list but this is an idea of how my rules file was generated.
Basically hashcat reads every line in the rule.txt file as a new set of possible passwords to generate. So the more rules combined with more base words to combine with leads to a fairly long list of passwords relative to the 100 base words I started out with. This worked for me because although it was a common word (one of the 100), the character/number combination that was used was not common.
4. Renting GPU/CPU space: I read that scrypt doesn't work well on GPUs so I looked for CPU options.
I DMd someone here regarding renting CPUs but didn't get a reply.
I read that renting CPUs on Amazon allows you to get up to 5000 guesses per second.
Since the value locked was pretty decent I was willing to pay a significant amount to recover the file.
I also contacted a specialist who said they could crack it in a month for just over $200k so in a sense that was my limit but I really did not want to go that high.
My next plan if the initial list didn't work was to go on a CPU purchasing spree.
I found that I was able to get just under 1 guess per second, so I figured I would try to get a machine that could get 2 guesses per second then buy 10 of those PCs for under $1k each and try it for a few months. I could always donate the computers later. This would increase my guessing ability by 10x for $10k which seems like a good tradeoff. And by that time I would either hit on my guesses or basically realize I was not going to ever hit.
After everything I've read about scrypt since finding hashcat though, I'm not sure if the guy telling me he could crack it in a month could have really done it if my main password rules set up didn't work.
Limiting the attack surface, as people say on here, is really the best move and that's why I really encourage people, even newbies, to learn to use the rule based system.
Question for the experts:
Someone with more experience could tell us what the realistic amount of guesses per second that could be expected per machine would be when guessing against Scrypt?
Answers to some of the questions.
1. Length of password: It was 12 characters. A few characters, a word and numbers and characters.
2: Hardware spec: old i5 laptop. I read that the scrypt encryption limits usability of GPU so just used CPU.
3: The rules files really saves you. Its also I think how people intuitively generate their own passwords so it makes sense to use that approach if you can go through the short learning curve.
Instead of the mask system, the rules made more sense because what was more common was the type of characters I used and their placement in my passwords as opposed to the length of the password.
The common passwords ranged from 8 to 16 characters but that all depended on the amount of characters or numbers at the start or end of the specific word.
And each word had different lengths. In this case the rules makes more sense.
To make my rules list I opened my last saved passwords from the last 5 years that I had either written down or saved in chrome auto-save (bad practice, I know) and created two text files. One was the "text.txt" file that had my base words. and the second was the rules.txt file. In my post above I mentioned the Hashcat command to generate a password output text file of every possible combination using my base words and all the special rules.
Code:
##base word is in text.txt file
##: the colon is command to include base word but for some reason it includes the word twice so I'm commenting it out for now
##custom rules we want: prepend characters, append numbers and always capitalize the first letter of the word in the middle of the password
##capitalizes first letter and lowers the rest
c
##prepends characters to the start, it goes in this direction because of how it reads it and it appends an exclamation to the end
^!^!^@
^!^!^@$1
^!^(^)
^!^(^)$1
^!^(^)$1$1
^!^@^!
^!^@^!$1
^!^@^!$1$1
I had more combinations than this rules list but this is an idea of how my rules file was generated.
Basically hashcat reads every line in the rule.txt file as a new set of possible passwords to generate. So the more rules combined with more base words to combine with leads to a fairly long list of passwords relative to the 100 base words I started out with. This worked for me because although it was a common word (one of the 100), the character/number combination that was used was not common.
4. Renting GPU/CPU space: I read that scrypt doesn't work well on GPUs so I looked for CPU options.
I DMd someone here regarding renting CPUs but didn't get a reply.
I read that renting CPUs on Amazon allows you to get up to 5000 guesses per second.
Since the value locked was pretty decent I was willing to pay a significant amount to recover the file.
I also contacted a specialist who said they could crack it in a month for just over $200k so in a sense that was my limit but I really did not want to go that high.
My next plan if the initial list didn't work was to go on a CPU purchasing spree.
I found that I was able to get just under 1 guess per second, so I figured I would try to get a machine that could get 2 guesses per second then buy 10 of those PCs for under $1k each and try it for a few months. I could always donate the computers later. This would increase my guessing ability by 10x for $10k which seems like a good tradeoff. And by that time I would either hit on my guesses or basically realize I was not going to ever hit.
After everything I've read about scrypt since finding hashcat though, I'm not sure if the guy telling me he could crack it in a month could have really done it if my main password rules set up didn't work.
Limiting the attack surface, as people say on here, is really the best move and that's why I really encourage people, even newbies, to learn to use the rule based system.
Question for the experts:
Someone with more experience could tell us what the realistic amount of guesses per second that could be expected per machine would be when guessing against Scrypt?