Password limit of 16 chars - md5crypt
#1
Hi guys,

I was recently auditing some md5crypt ($1) Unix hashes on CentOS. For dictionary entries size 1-15 I was using oclHashcatplus, while for bigger ones I was using hashcat 0.41, since I've read here that hashcat 0.41, the CPU version, has much higher password limits (55).

I was extremely surprised to discover that for -m 500 (md5crypt), even in hashcat 0.41, the limit is still 16 chars.

Can somebody please confirm / infirm this?

Thanks,
Paul
#2
md5crypt works only up to length 16. Thats true also in hashcat cpu.
#3
Hi atom,

Thanks for the reply.
Would it be hard to increase the limit to 32? I think that with hashcat CPU, the speed is not the most important thing.

You could first try passwords sized 1-15 with oclHashcatplus, then for higher lengths, at least you could try them with the CPU.

Thanks,
P

(11-22-2012, 10:46 AM)atom Wrote: md5crypt works only up to length 16. Thats true also in hashcat cpu.
#4
As someone who's been running into length limitations lately I would greatly appreciate longer length support. I appreciate the intent on speed for oclhashcat-*, but having an option that supports full length (or at least longer length) passwords would be huge.

paul6990's suggestion of starting with the ocl suite and then moving to CPU for the longer ones seems like a reasonable compromise.
#5
You know how high chances are you find passwords of length 16 and more?
#6
(11-26-2012, 11:18 AM)atom Wrote: You know how high chances are you find passwords of length 16 and more?

I don't because I can't crack them right now to know. Smile Okay I can, but it's much much slower.

Your point is well taken, however I do run into situations where there are password schemes (say company name prefixes or the like) or quotes being used "tear down this wall!", "my kingdom for a horse!", etc...

Clearly for the normal user of this tool this won't come up that often, so while I care about it I would also understand if you didn't care much.