2025-08-05 –, Tuscany
My experience cracking 936 million passwords.
It is challenging to crack passwords at scale.
I will discuss the hardware I used, tools used, wordlists, custom rules,
CPU vs GPU tradeoff, found password statistics and defenses against password
cracking. To date, I have found 91% of the passwords.
0 About Me
1 A brief history of password cracking
2 Dump from Have I Been Pwned
Good news – they are NTLM format
Bad news – 936,000,000
This requires a Big Data approach and lots of RAM
3 Hardware and software used
Strategy used to crack passwords
Rainbow Tables
Good for finding a few passwords, bad for finding millions of passwords
John the Ripper
Infrequent official releases, Many unofficial releases
Poor Graphical Processor Unit (GPU) windows support
Easy to make custom rules
Good mailing list support
Hashcat
6.2.6 latest release Sep 2022
Great GPU acceleration
Primitive rule syntax
Dictionary attacks takes a lot of memory
Custom Tools I wrote
Custom Rules
The exponential cost of finding passwords
You will never find all of the passwords
4 Found passwords
Found password statistics
Control characters in passwords
5 Defense against having your password cracked
Don't use NTLM
2 factor authentication
Use cryptographically strong random passwords
Use a password manager
Jeff Deifik has a MS in Cybersecurity and a CISSP and C|CISO credentials. His
interest in the intersection of cybersecurity and software development began
with white hat password cracking over 30 years ago. Career projects included
ten years at the first e-commerce system (from 1985-1995), the first orbiting
radio telescope satellite, the worlds most advanced pulse oxineter, and most
recently cybersecurity for government satellite ground control, balancing
sound cybersecurity with cost and schedule. He is currently employed at The
Aerospace Corp.