most-used-passwords

Since I have hardware around the house to do this, I figured I would have a go at cracking the passwords of a certain file which contains a little over 36 million bcrypt hashes… you know what I’m talking about.

There were some initial stories about folks cracking a limited number of passwords using GPUs and oclhashcat, however one of the reasons bcrypt is used is precisely because it is hard to crack.

I decided to just go for it and throw the entire 36 million line list at my Radeon 295×2 GPU (2 discreet GPUs on one graphics card) using the ‘rockyou’ wordlist and bang, a blazing 107 H/s… one hundred and seven! Normally you would expect to see millions or billions of tries per second.

Ok so maybe that was a little too ambitious. Perhaps a smaller wordlist would be better so I switched to the ‘best15’ wordlist from the SecLists project on GitHub that my buddy Daniel runs.

There’s a problem with throwing a small wordlist at a GPU, especially one that has only 15 words in it. GPUs are all about parallel processing and throwing a list at it with only 15 words in it is highly inefficient unless you do some fiddling with the input.

I followed some instructions on what to do in this scenario from the hashcat site, however it didn’t seem to make any difference. Could be I was doing it completely wrong but either way it wasn’t making a difference.

Anyway I figured I would give it a shot using regular hashcat which is for cracking on CPUs instead of GPUs. I also only submitted the first one million lines from the master list and again used the ‘best15’ wordlist.

So running the one million bcrypt hashes against the CPU using a small wordlist appears to me much more efficient. It has something to do with more efficient memory use by the CPU versus the GPU when lots of memory is being accessed as it is with bcrypt.

I’ve been running two PCs each with a quad-core i7 and eight threads the last couple days and have managed to get a little over 5000 passwords. Again this is against a 15 word wordlist.

I’m curious to see how long it takes to get through a million hashes. If it’s anything reasonable, I’ll keep churning through the master list. The current count is below:

crack-count

…and yes, ‘123456’ is leading the pack! What a surprise. I also think words like ‘password’ are currently zero because it hasn’t been tried yet. I tried another wordlist with ‘password’ as the second word in the list and got hits there.

I’ll keep updating this as the cracking continues. Just for kicks I am also crunching one million hashes using the top 1,000,000 passwords from the 10,000,000 password list just to see how much I get using a GPU on one PC and trying that same approach on the other PC using the CPU.

It’s all a great learning experience.

Stay tuned…