My start password cracking

I started cracking passwords around 1990 or so. Back then I used crack-4.1 which worked on des-crypt unix style passwords. CPUs and really small dictionaries were used for password cracking. Times sure have changed... Today multi-core CPUs are standard. Very powerful GPUs are standard. There are rainbow tables and terabyte precomputed hashes. Plaintext password dictionaries very from hundreds of megabytes to hundreds of gigabytes. Password hashing should have evolved to match, but in many cases it hasn't. Around 1979 Unix introduced 'salting' des-crypt used 12 bits of salt. So if your password was 'password' the hash for it might be stored 4096 different ways. This is used to make precomputed password hashes really big, and thus impractical. However, Microsoft doesn't seem to have gotten the message. Neither lan-man nor the current standard ntlan-man use hashing for reasons that baffle me.

Tools for password cracking

The main tools for password cracking are John the Ripper and HashCat. In my experience John the Ripper has infrequent official releases, but many unofficial relases. I had experienced poor GPU support under windows. It is easy to make custom rules. There is very good mailing list support. HashCat has more frequent releases. It has very good GPU support under windows. The rule syntax is primitive and very verbose.


There are a variety of wordlists. Some such as rockyou are very high quality. Other so called password dumps can be of much lower quality, and often contain very long lines (over 1k long), have non-ascii letters and have random junk in them. Specialized tools are needed to transform these password dumps into useful password lists.

Password hashing speed

Different password hashing algorithms have widely different speeds.

NTLM Speed	41825.0 MH/s 
md5 Speed	24943.1 MH/s
LM Speed	18382.7 MH/s
descrypt Speed	 906.7 MH/s
SHA1 Speed	788.2 MH/s
scrypt Speed	435.1 kH/s 
WPA2 Speed	396.8 kH/s 
bcrypt Speed	13094 H/s

Password salting

In 1979 Unix descrypt used 12 bits of salt
1980's Unix used 48 bits of salt
1996 bcrypt used 128 bits of salt, Argon2 used 12 bits of salt
Windows LM and NTLM don't use salt

A descript password dump

I found a decent sized descrypt password dump. There were 1576 different passwords. It took me 5 years to find all of the passwords.

Using JTR dev pack 2023_05_14, no options (CPU)
537 words in 126 seconds
667 words in 633 seconds
758 words in 1,201 seconds
884 words in 3,985 seconds (wordlist password.lst)
1022 words in 22,128 seconds (incremental:ASCII)

Here is the power of wordlists

Using JTR dev pack 2023_05_14 with no options (using my CPU) found
Rockyou (139mb) found 455 words in 52 sec
Weakpass 2a (37gb) found 469 words in 5,675 sec
Rockyou2021 (98gb) found 967 words in 12,363 sec
Prince & Rockyou found 634 words in 9,243 sec


I have a 64 core AMD EPYC milan system. I have a Nvidia 3060ti 8gb graphics card 2.3 times faster than a Nvidia 1070 graphics card. It is 5-30 times faster than my EPYC. I picked it to maximize the performance / price.


Wordlists can be very fast depending on quality & size. Wordlists with rules can be faster than brute force.

Brute force, 1 password
All 8 char lower @3 minutes on GPU
All 8 char letters @13 hours on GPU
All 8 lower, number, special @5.5 days on GPU
All 8 char printable @80 days on GPU

Rainbow tables and precomputed hashes

Doesn't play nice with salt, but are very very fast. Works with LM, NTLM, MD5, etc. Defcon data duplication village - 6tb drives GSM A51 and MD5 hash tables more rainbowtables, lanman, mysqlsha1, ntlm, and some word lists

Password statistics

  3 :  0.3 % (3)
  4 :  0.3 % (3)
  5 :  2.8 % (30)
  6 : 21.6 % (233)
  7 : 25.5 % (276)
  8 : 49.6 % (536)

  All lower: 60.2 % (651)
  All lower digit: 15.9 % (172)
  All lower upper: 10.8 % (117)
  All lower upper digit:  3.6 % (39)
  All lower special:  5.5 % (59)
  All upper:  0.2 % (2)
  All digits:  0.1 % (1)
  All special:  0.1 % (1)
  All upper digit:  0.1 % (1)
  All digit special:  0.1 % (1)
  All lower upper special:  1.7 % (18)
  All lower digit special:  1.4 % (15)
  All lower upper digit special:  0.4 % (4)

String Classes:
  All alpha: 71.1 % (769)
  Alphas + numbers: 11.0 % (119)
  Alphas + specials:  2.1 % (23)
  Alphas + numbers + alphas:  6.5 % (70)
  Alphas + specials + alphas:  4.3 % (47)

Odd password characters

I found one tab character. No standard character set includes tabs. I created a custom character set to include tab. I found one control-R character. No standard character set includes control chars. After failing an exhaustive search, I knew there was a control character. I tested current linux to see what control chars were allowed in a psssword. With the help of john the ripper mailing list, I made a special rule to insert a control char, as well as replace a char with a control char. Using a big dictionary, I found the password.

BSD 1980 password dump

There was a password dump of a 1980 BSD computer. Most passwords were quickly cracked. Bill Joy's password was not. Its hash is 2xvLVqGHJm8M . The reason it was not quickly cracked is that it contains a control character. Initially I did not know that, and I performed a brute force search of all normal password characters. When that got to about 50% of the search space, I suspected there was a control character present. Using john the ripper, I helped create two rules. One would insert a control character in each of the 8 possible locations. The other would replace an existing character with a control character in each of the possible positions. Using a decent dictionary, I quickly found the password to be chess^Win . I have found that control characters are pretty rare in descrypt passwords. I have found one password with a tab and one password with a control-R.

Here are the passwords from the BSD 1980 dump

dmac uio bourne foobar network whatnot axolotl sacristy uucpuucp cowperso jilland1 /.,/. apr1744 ...hello sherril. wendy!!! 5%ghj pdq;dq theik!!! sn74193n p/q2-q4! graduat; 12ucdort 561cml.. ..pnn521 chess^Win

Here are the rules for john the ripper:

>\r[00-6] '7 i\p[0-7][\x7f\x80\x01-\x1f]

>[0-7] '8 o\0[\x7f\x80\x01-\x1f]