Posts: 2
Threads: 1
Joined: Jun 2024
06-07-2024, 12:42 PM
(This post was last modified: 06-07-2024, 12:48 PM by Drbrakbek.)
I'm not used to perform brute force actions and I know complex random passwords with a lot of charatcers are impossible to crack but i thougt 8 characters would still be possible.
I'm trying out a captured handshake with a password of 8 characters (up/lower case + digits).
hashcat -m 22000 313463_1717752017.hc22000 -a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1
I have an RTX 3070 but eta is still 10+ years. Is it me doing something wrong or is this normal?
Session..........: hashcat
Status...........: Running
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: 313463_1717752017.hc22000
Time.Started.....: Fri Jun 07 12:39:29 2024 (1 min, 4 secs)
Time.Estimated...: Next Big Bang (> 10 years)
Posts: 175
Threads: 2
Joined: Apr 2021
Yep, that's perfectly normal. As you say, randomly generated passwords are very secure. It'd take around 3 years on an RTX 4090
Posts: 2
Threads: 1
Joined: Jun 2024
06-07-2024, 01:21 PM
(This post was last modified: 06-07-2024, 01:21 PM by Drbrakbek.)
Ok thanks, I wasnt sure because of some charts on some infosec sites state that an 8 and even 9 character long password (alphanumeric + symbols) password can be forced fast. It seems they are exaggerating :p
Posts: 175
Threads: 2
Joined: Apr 2021
(06-07-2024, 01:21 PM)Drbrakbek Wrote: Ok thanks, I wasnt sure because of some charts on some infosec sites state that an 8 and even 9 character long password (alphanumeric + symbols) password can be forced fast. It seems they are exaggerating :p
Yeah. They're generally awful although they may be talking about a different algorithm. WPA is tens of thousands of times slower than MD5, for example
Posts: 46
Threads: 10
Joined: Mar 2021
06-09-2024, 12:13 PM
(This post was last modified: 06-09-2024, 12:14 PM by monyanus.)
8-9 character passwords are very insecure unless they are completely random. So you better define what you exactly mean with a "complex password".
Trying all possible combinations with a simple mask like that is extremely inefficient and is only needed if 8-9 character passwords are indeed truly random and computer generated.
To give you an example, if a user types a random passwords, keys are often adjacent, some are more frequent than others and caps and numbers are often grouped together. So it easy enough to hack up to a length of 12 characters or so of 'semi randomly typed' passwords. Most users don't even bother to try to be random, so with a dictionary or mask, followed with some rules, most 8-9 character passwords are hack-able i seconds to minutes since they follow predictable patterns and use words or at least syllables.
Posts: 46
Threads: 10
Joined: Mar 2021
My bad, I see you mention "complex random passwords". Indeed, that explodes in possibilities.
Posts: 28
Threads: 3
Joined: Dec 2022
You need to analyze the passwords from your access point.
Because in some cases there are key generators written in python.
There is a very good person on github
PlumLulz
He creates such generators.