Best practices to generate a long and complex password?
#1
Information 
Hello,

I have been playing with hashcat for the past weeks as I’m facing a challenge where I have to recover a password for a Multibit wallet (mode 22500) from an user that was referred to me. The password is likely to be long (from 15 to 20 characters) and to be made up of letters, digits and symbols. Phew!

Fortunately, the letters and digits are not random. For his passwords, the user chooses words and numbers that have meaning to him and he has a rough idea of what he might have used for his wallet. (I say rough idea because he created his wallet in 2013 when he was inebriated!) Letter capitalization follows predictable and common patterns. The special symbols are trickier since they are random; however, it appears as if they are only 5 characters possible.

Thus, I have two files: a list of words and a list of numbers. Now, say I would like to use them to generate a password with the structure below. Word 1 and Word 2 are taken from the same wordlist; same goes for Number 1 and Number 2.
  • 0 to 3 special characters.
  • Word 1.
  • Number 1.
  • 0 to 3 special characters.
  • Word 2.
  • Number 2.
  • 0 to 3 special characters.
For example, the passwords below would fit within the structure above:
  • %*Julie93!/Mark91/
  • ///Julie02*Mark02
  • Julie55//*Mark56
Here’s what I’m doing right now to create such a password structure:
  • I use Combinator to generate all combinations possible for Word 1 and Number 1.
  • I use Maskprocessor to add 0 to 3 special characters for each entry generated by the Combinator.
  • I append Word 2 to each entry generated by the Maskprocessor.
  • At this stage, I have a list of partial passwords (like Julie93!/Mark). I run this list through hashcat (attack mode = 0) and I stack three rules: a rule that prepends 0 to 3 special characters to the password; a rule that appends Number 2 to the password; and a rule that appends 0 to 3 special characters to the password.
While this method works, it feels convoluted and restrictive. Is there a better way to achieve what I want? What are your thoughts?
Reply
#2
I would likely do something like that as well, so I don't feel like you're doing it wrong at all.
You could maybe do it in steps, like for the first run do 0 starting special chars, then 1, 2, 3 (instead of doing a single run with the whole keyspace).
Reply
#3
(11-27-2021, 07:47 PM)Xanadrel Wrote: I would likely do something like that as well, so I don't feel like you're doing it wrong at all.
You could maybe do it in steps, like for the first run do 0 starting special chars, then 1, 2, 3 (instead of doing a single run with the whole keyspace).
Thank you for the input. I'm surprised that they aren't many replies, so I presume that what I'm doing is indeed very much correct!
Reply