15 chars limitation
#21
The full rockyou analysis:

1 = 50 (0.0%)
2 = 341 (0.0%)
3 = 2480 (0.02%)
4 = 18016 (0.13%)
5 = 259169 (1.81%)
6 = 1947848 (13.58%)
7 = 2506256 (17.47%)
8 = 2965991 (20.68%)
9 = 2190993 (15.27%)
10 = 2013686 (14.04%)
11 = 865969 (6.04%)
12 = 555331 (3.87%)
13 = 364169 (2.54%)
14 = 248513 (1.73%)
15 = 161182 (1.12%)
16 = 118408 (0.83%)
17 = 36881 (0.26%)
18 = 23769 (0.17%)
19 = 15568 (0.11%)
20 = 13070 (0.09%)
21 = 7851 (0.05%)
22 = 6157 (0.04%)
23 = 4850 (0.03%)
24 = 4238 (0.03%)
25 = 2951 (0.02%)
26 = 2250 (0.02%)
27 = 1812 (0.01%)
28 = 1198 (0.01%)
29 = 786 (0.01%)
30 = 993 (0.01%)
31 = 470 (0.0%)

Support of > length 15 will result in a maximum of 1.5% more cracked passwords. Since this is very unlikely to crack all of them, I guess the real number os more around 0.5%.
#22
rockyou is more than 3 years old? Everything changes, more and more people uses sentences as they'r password. Maybe it's really would be possible to make 15+ for few kernels, and to test performance drop.
#23
(01-09-2013, 02:13 AM)epixoip Wrote: precisely. what that table really demonstrates is the likeliness of a long password being cracked with current methods and software.

it's not that users aren't selecting long passwords, it's that we aren't cracking them. yes, the majority of users select a password 6-8 characters long. but with each leak there's always that 10% we cannot crack. and with all these highly-publicized leaks lately, it has reminded people that they need to choose longer passwords.

Thanks for your reply epixoip. Smile

From the moment I posted I woried all night, I thought I might have overlooked something and got it completely wrong. I was prepared for ridicule today, ha ha !
#24
(01-09-2013, 10:27 AM)KT819GM Wrote: Maybe it's really would be possible to make 15+ for few kernels, and to test performance drop.

Perhaps this could be applied to WPA as I understand there would be no performance drop.
#25
(01-09-2013, 10:07 AM)atom Wrote: The full rockyou analysis:

but keep in mind rockyou's demographics: primarily kids, teenagers, and hopeless housewives who pass their time playing myspace and facebook games. not the most intelligent or well-trained bunch.

the rockyou leak was brilliant because it opened the first real window to the psychology behind password selection on a massive scale. the problem is, as large as that window was, it was still rather rather narrow and we cannot see the entire picture through it alone.

also remember that things are changing, especially with all the recent publicity around large leaks. the number of people using long passwords is increasing.
#26
(01-09-2013, 01:31 PM)Hash-IT Wrote:
(01-09-2013, 02:13 AM)epixoip Wrote: precisely. what that table really demonstrates is the likeliness of a long password being cracked with current methods and software.

it's not that users aren't selecting long passwords, it's that we aren't cracking them. yes, the majority of users select a password 6-8 characters long. but with each leak there's always that 10% we cannot crack. and with all these highly-publicized leaks lately, it has reminded people that they need to choose longer passwords.

Thanks for your reply epixoip. Smile

From the moment I posted I woried all night, I thought I might have overlooked something and got it completely wrong. I was prepared for ridicule today, ha ha !

Why would you worry about something you posted. If it was wrong you would be educated.
#27
(01-09-2013, 05:54 PM)radix Wrote: Why would you worry about something you posted. If it was wrong you would be educated.

Well... it was one of those moments where it seemed so simple or obvious I worried that I must have overlooked something. There are a lot of clever people on here and I regularly find myself in discussions where I am massivly out of my depth. Sad

However, this one has turned out to be a bit of a confidence boost, so I have promoted myself from forum clown to thickie. Only a step away from the dizzy heights of idiot status. Smile
#28
Well, I think, a lof of us would greet no lenght limitations. The trush is we could crack tiny percentage of longer passwords, but a lot of passwords we're personaly trying to crack either. Statistically, most of passwords I'm cracking are longer than 12 characters and big percentage of those passwords are even longer than 15 characters. As otherwise, I'm not using only bruteforce and dictionary attacks, of course I'm using keyloggers, for target specific dictionaries and so on, but frequently I'm unable to catch all characters or my dictionaries don't contain them (for example numbers), so I have to bruteforce them or use other dictionaries.
Please, check this topic as example: WPA/WPA2 in hashcat.

I think, this request is well-founded.
#29
Hi atom, I appreciate you indulging this discussion yet again. I know it's come up many times already, hell I've been in at least three of these threads. Smile

My feeling is that pass phrases have become the common wisdom of the day (i.e. "correct horse battery staple" http://xkcd.com/936/) but the reality is most people still do these wrong. I don't think that looking at cracked password statistics shows a very realistic picture when it comes to trends today for passwords people care about. What we'd really need is a sample of passwords that were stored plain or reversibly encrypted for a site where people are motivated to create good passwords (say a financial service). Unfortunately I don't have a sample like this.

I frequently see / hear about people using 2-4 words in the vein of xkcd, or using 4-5 words but with common words and conjunctions like:

yellow and blue make green

Let's ignore that this a known phrase. A lot of people believe nonsense password checkers like howsecureismypassword.net which will tell you this is an incredibly strong password (it will take 76 septillion years to crack according to that site), but in reality it should be cracked by a sort of markov chain dictionary equivalent (smaller word lists in common places, or just more common words towards the top) in a reasonable time.

yellow: in top 1000 common words, call it 10-bits of entropy
and: one of the most common words in the language, 3 bits
blue: like yellow, 10 bits
make: also extremely common, in top 100 most common words, call it 7 bits
green: another 10

This 5 word phrase ends up with only ~2^40 possibilities, an achievable number in reasonable time with a fast cracker and assuming a reasonable fast hashing algorithm like MD5. Better chosen 4 word phrases end up being a bit stronger but still vulnerable, and 2-3 word phrases should be extremely crackable as long as the tool supports the length.

I fully appreciate that allowing longer passwords means slower performance (as you outlined http://hashcat.net/forum/thread-785.html), but I get the feeling that those requirements (16 GB of system ram and a performance hit of 40%) are totally tolerable to some of us, especially with all the clustering stuff you've added recently, to be able to attack what appears to be the growing trend in password selection. I believe I read that you actually created a version of hashcat that supported longer passwords for CMIYC because you were running into this limit yourself, but I can't find it now so maybe I'm wrong about that.

All of that said, I also fully appreciate that not everyone would be so willing to accept this tradeoff, which raises the burden of maintaining two branches/kernels. I won't pretend to know the effort involved in doing that for this change, but I certainly understand your reluctance to do it.

Anyway, I've gone on long enough, thanks for your patience and your excellent tool!
#30
I think it is important to make something clear at this point.

This thread may appear we are in some sort of argument, especially to a casual observer. I am certain no one here is arguing with atom about this issue and I am sure atom understands the importance of longer password support.

What I believe might be happening is there is a slight clash of ideologies. Those interested in competition and quick bulk recovery of huge password lists and those aiming for specific targets or who are compulsive obsessives wishing to "complete" the leaked lists. Smile

I am obviously compulsive obsessive and I also aim at specific targets (WPA). So clearly I need the whole key-space available to me as it would appear so do a few others.

I just didn't want atom to feel like we were having a go at him, we all just want hashcat-plus to be the best regardless of our separate ideologies.

@atom, would it be possible for you to provide an estimate of the performance drop of a few of the more common hashes so the speed / recovery trade off can be discussed by everyone here ?

I understand WPA would have no drop in performance which is great news for me personally, but others will no doubt be interested in the more common hashes.

Thank you. Smile