01-10-2026, 08:10 PM
1) It just takes the newly cracked passwords and passes them straight back in as a wordlist, so if you cracked "Password123" then it was looped back in, it might crack "Password1234", as an example. It's basically free cracks and you should often have it enabled
b) Rockyou isn't a particularly big wordlist but no, given rockyou is already quite a password-friendly wordlist, you shouldn't need to only save the base words, unless you want to target your wordlist against your target, but at that point you probably shouldn't be using rockyou and should be using something much larger like Hashmob's
2) Primarily for testing or collision-friendly algorithms where multiple plaintexts are possible for a single hash. It's not appropriate for your use case of "Mysql 4.1/5" and Hashcat will print a warning for hash modes that it may be helpful to use in (again, mysql not included).
3) Not really, no. You can technically do it with rejection rules but they don't work in the way you'd expect and for something like 4-16, it wouldn't make a difference, as almost all of your candidates would be between those 2 lengths anyway
4) You can use --outfile-autohex-disable if you don't want the hexing but it's usually safer to not, as the plaintext may contain dangerous stuff like unprintable chars or separators. It kinda depends what you're doing with the cracks. I'm not sure what the Github thing you're referring to is, but it shouldn't be a problem in your case
5) One big wordlist, but not too large. 20GB is at the top limit of what's possible to realistically harvest, so these 80GB/300GB wordlists out there like weakpass are mostly filled with junk and you can ignore them
6) 95% is hard for a beginner but I believe in you. Hash cracking is an art in that you really just have to get experience with it to know what to do in each situation and it's hard to recommend stuff without seeing the cracks themselves. Going to a larger/better wordlist, other than rockyou like Hashmob's is probably a good start
b) Rockyou isn't a particularly big wordlist but no, given rockyou is already quite a password-friendly wordlist, you shouldn't need to only save the base words, unless you want to target your wordlist against your target, but at that point you probably shouldn't be using rockyou and should be using something much larger like Hashmob's
2) Primarily for testing or collision-friendly algorithms where multiple plaintexts are possible for a single hash. It's not appropriate for your use case of "Mysql 4.1/5" and Hashcat will print a warning for hash modes that it may be helpful to use in (again, mysql not included).
3) Not really, no. You can technically do it with rejection rules but they don't work in the way you'd expect and for something like 4-16, it wouldn't make a difference, as almost all of your candidates would be between those 2 lengths anyway
4) You can use --outfile-autohex-disable if you don't want the hexing but it's usually safer to not, as the plaintext may contain dangerous stuff like unprintable chars or separators. It kinda depends what you're doing with the cracks. I'm not sure what the Github thing you're referring to is, but it shouldn't be a problem in your case
5) One big wordlist, but not too large. 20GB is at the top limit of what's possible to realistically harvest, so these 80GB/300GB wordlists out there like weakpass are mostly filled with junk and you can ignore them
6) 95% is hard for a beginner but I believe in you. Hash cracking is an art in that you really just have to get experience with it to know what to do in each situation and it's hard to recommend stuff without seeing the cracks themselves. Going to a larger/better wordlist, other than rockyou like Hashmob's is probably a good start