A SONG OF HASHES AND DUMPS: WHAT I'VE LEARNED FROM CRACKING .BR PASSWORDS

No ratings

Presented at blackhatsummer 2014 by

Daniel Marques

We do a lot of password cracking these days. Hashes from owned systems pop out frequently on Pastebin and Twitter, and it is not uncommon to find a nice SQL injection that allows you to dump the entire login table from a web application. However, we still use the same old wordlists and rules. During a security conference last year, a slide caught my eye: something like, "using RockYou and the best64 rule you can crack 50% of the passwords." So, I decided to see how that worksfor Brazilian passwords. This presentation provides a fresh view on password cracking research by: Exchange experiences through showing positive results, drawbacks, failures, and challenges while cracking passwords from .br domains; Testing the performance of some popular wordlists againts different scenarios; Identifying patterns and behavior of users while choosing their passwords, beyond 'qwerty'; Providing tools, scripts, rules, and wordlists to aid in cracking Brazilian passwords but useful for any language.