Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 23 Oct 2019 00:12:41 +1030
From: Sebastian Hudson <>
Subject: Re: How to increase Max Length? / Very long passwords

Thanks Magnum, lots of good advice there, I’ll look into hash functions!
How would you go about what I’m trying to do?

On 22 Oct 2019, at 5:01 am, magnum <> wrote:

> On 2019-10-21 14:43, Sebastian Hudson wrote:
>> Hi, so I’m aware that what I’m trying to do might actually be impossible but I still want to try and find a way because it’s just for fun so why not.
>> I hope I can explain this all well.
>> I’m trying to crack an sha256 hash, but the password itself is an sha256 hash.
>> For example:
>> If the hash is e0bc614e4fd035a488619799853b075143deea596c477b8dc077e309c0fe42e9
>> then the actually password would be 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.
> This is not terribly weird if the target has is actually something like sha256(sha256(password)), and then you'd attack it like that (with human-generated words as input) but if it's not, it *is* terribly weird.
>> The main problem I’ve come across is just the length of it. Prince mode won’t try to crack anything with a Max Length of 32 and Markov won’t try anything over 30.
>> Is there a way to change the Max Length to more?
> This approach is so terribly flawed I'm not sure where to start explaining.
>> The reason I tried to use prince was I made a wordlist that broke up the permutations into groups of 8. Eg: aab3d7ef. If I could get it to try every combination of 8 of these (8x8=64) randomly then maybe it would just stumble on the password.
> This one too.
> You might want to read up on "cryptographic hash function" (try google or wikipedia). Pay attention to keywords like "avalanche".
>> Ideally I think if there was a way to just keep hashing the last attempt over and over it might stumbled on the password too. Eg: if it tried
>> e0bc614e4fd035a488619799853b075143deea596c477b8dc077e309c0fe42e9
>> then
>> d6a804981ea7ce374acc21c9a8bf82f50b684b0ea4bdf8b26a7a775291aaf7a6
>> then
>> ad376767fc04814220cc25c79b2777cd14704f23f1830318b5bd9eb97e4fedf6
>> perhaps that would be quicker?
> Errr... but what would be your starting point (for generating that first hash)? In case you are attacking something like sha256(sha256(sha256(sha256((...)passphrase)))) it might be a good way, but only if the actual original password was based on a human generated string and you just don't know how many iterations of sha256 was used.
> Good luck with this ;-)
> magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.