Force multiplier - Guided password cracking


by Tonimir Kisasondi

In this talk, I will show how to better target password cracking and guessing attacks against offline password lists or online systems. We will cover custom wordlist creation from multiple languages and sources, targeting via personal data collected by abusing a popular search provider and scraping various databases to obtain enough data to help us. We will show how to use those lists with the help of a tool called unhash to deliver targeted password cracking attacks and drastically reduce our search space.

The popularity of usage "slow" hashes like bcrypt, scrypt and PBKDF2 with big round sizes requires us to try a smaller quantity of possible passwords. The adage "Brute force: If it isn't working, you are not using enough of it" is simply not true anymore, so we have to adapt our methods.