Supreme Hashcat Password Recovery Rates

[1.556]

Just curious what people's recovery rates are with hashcat against database dumps. What rules and wordlists are you using?  Do you have a cutoff threshold for when you stop (ie 24 hours)?

I can normally get 70-80% on a normal encrypted database dump (ie predominately English speaking users, encrypted w/ md5, md5crypt, phpass, etc), but getting much more than that seems to add 3x (or more) to the amount of time to crack.  I mostly just use the crackstation and rockyou wordlists in addition to the dumped usernames.  For attacks I use a few different rules: hob064, dive, and a simple one I put together to feed into prince processor.  One thing I did do was modify the hob064 rules to extend out the year suffixes to 2022, both with and without an exclamation point and leetspeak substitutions (original only uses 2015, 2016, and 2016!).

[48]

You could always use a mask and ?d?d?d?d?d?d?d?d?d?d?d - You will recover 99.9 percent this way :)

You may need Chinese supercomputer though

[15]

Thank u Bro

[137]

https://docs.google.com/spreadsheets/d/1...sp=sharing

Here are the tests for the most popular and efficient wordlists and dictionaries and rules. Made by the legends at hashes.org (RIP). Please check it out.

Ship coming soon and stuff like that!

[1.556]

https://docs.google.com/spreadsheets/d/1...sp=sharing

Here are the tests for the most popular and efficient wordlists and dictionaries and rules. Made by the legends at hashes.org (RIP). Please check it out.

So that's what you personally use?  Do you have a cutoff threshold for when you stop attempting to crack a database dump?

[137]

https://docs.google.com/spreadsheets/d/1...sp=sharing

Here are the tests for the most popular and efficient wordlists and dictionaries and rules. Made by the legends at hashes.org (RIP). Please check it out.

So that's what you personally use?  Do you have a cutoff threshold for when you stop attempting to crack a database dump?

I personally use a wordlist of my own from all the passwords I've cracked ever. I also use hashesorg2019. You're gonna have to try all wordlists, they're all different in their own ways and there is no single good one. There is only bad ones, avoid anything with a really really really high keyspace.

The threshold when cracking hashes from a database is when the number of cracked passwords does not move. You either give up because the passwords are near impossible to crack, or you take what's left and crack them with another wordlist or someone (preferably someone experienced in password recovery, like the dudes at hashes.com) can crack what's left for you.

There's so many different techniques on how to crack hashes. You can browse the hashcat forums and wiki for different techniques. You can also talk to people from hashes.com, although do not bring up anything hacking related. Hashcat is and will always be the #1 software for stuff like this due to its capability and strong support. I would avoid any other "dehasher" (which isn't even an appropriate term). What makes cracking more efficient is all dependent on what techniques you use, not the software.

Ship coming soon and stuff like that!

[1.556]

https://docs.google.com/spreadsheets/d/1...sp=sharing

Here are the tests for the most popular and efficient wordlists and dictionaries and rules. Made by the legends at hashes.org (RIP). Please check it out.

So that's what you personally use?  Do you have a cutoff threshold for when you stop attempting to crack a database dump?

I personally use a wordlist of my own from all the passwords I've cracked ever. I also use hashesorg2019. You're gonna have to try all wordlists, they're all different in their own ways and there is no single good one. There is only bad ones, avoid anything with a really really really high keyspace.

The threshold when cracking hashes from a database is when the number of cracked passwords does not move. You either give up because the passwords are near impossible to crack, or you take what's left and crack them with another wordlist or someone (preferably someone experienced in password recovery, like the dudes at hashes.com) can crack what's left for you.

There's so many different techniques on how to crack hashes. You can browse the hashcat forums and wiki for different techniques. You can also talk to people from hashes.com, although do not bring up anything hacking related. Hashcat is and will always be the #1 software for stuff like this due to its capability and strong support. I would avoid any other "dehasher" (which isn't even an appropriate term). What makes cracking more efficient is all dependent on what techniques you use, not the software.

Thanks.  I'm not new to cracking passes...been using hashcat for at least 10 years now.  Mainly just curious how others approach things.  I roll my cracked passwords into my wordlists as well, and have a script I run to modify them to make them more efficient with w/ the rules I use with prince processor.  One of the things I've struggled with over time is when to give up on a dump file and move the hashes to a left list to process later.  I like what you said about them "not moving"...I might put a timer on it and if no new hashes have been cracked in an hour then stop and move on.

Hashmob is another resource I like using in addition to hashes.com.

[137]

So that's what you personally use?  Do you have a cutoff threshold for when you stop attempting to crack a database dump?

I personally use a wordlist of my own from all the passwords I've cracked ever. I also use hashesorg2019. You're gonna have to try all wordlists, they're all different in their own ways and there is no single good one. There is only bad ones, avoid anything with a really really really high keyspace.

The threshold when cracking hashes from a database is when the number of cracked passwords does not move. You either give up because the passwords are near impossible to crack, or you take what's left and crack them with another wordlist or someone (preferably someone experienced in password recovery, like the dudes at hashes.com) can crack what's left for you.

There's so many different techniques on how to crack hashes. You can browse the hashcat forums and wiki for different techniques. You can also talk to people from hashes.com, although do not bring up anything hacking related. Hashcat is and will always be the #1 software for stuff like this due to its capability and strong support. I would avoid any other "dehasher" (which isn't even an appropriate term). What makes cracking more efficient is all dependent on what techniques you use, not the software.

Thanks.  I'm not new to cracking passes...been using hashcat for at least 10 years now.  Mainly just curious how others approach things.  I roll my cracked passwords into my wordlists as well, and have a script I run to modify them to make them more efficient with w/ the rules I use with prince processor.  One of the things I've struggled with over time is when to give up on a dump file and move the hashes to a left list to process later.  I like what you said about them "not moving"...I might put a timer on it and if no new hashes have been cracked in an hour then stop and move on.

Hashmob is another resource I like using in addition to hashes.com.

Yeah there's sometimes no way to move past uncrackable hashes. Some people have retardedly complex passwords with funny symbols and combinations and such. There's also difficult hashes like bcrypt.

I used to crack hashes for fun to test the limits of my wordlists. Hashmob looks pretty promising. The hashes on hashes.com are usually too hard, which is why they offer money to have the cracked. Thanks for letting me know of this website.

Ship coming soon and stuff like that!