Series
Password cracking 101
9 posts in this series. Read them in order or jump to any one.
- How to identify an unknown hash: a practical guide
Found a mystery hash? Learn the signals that reveal its type — length, character set and prefixes like $2y$ or $6$ — and how to identify it privately in your browser.
- Hashcat vs John the Ripper: which cracker should you use?
A practical comparison of hashcat and John the Ripper — GPU vs CPU strengths, autodetection, -m modes, jumbo formats, wordlists and rules — with example commands.
- Why fast hashes are dangerous for password storage
MD5 and SHA-1 fall to a GPU in seconds because they are fast and often unsalted. Learn why slow KDFs like bcrypt and Argon2 resist — and what defenders should do.
- Finding the right hashcat -m mode (and what to do when you get it wrong)
Hashcat won't autodetect anything. Here is how to pick the correct -m mode, disambiguate look-alike hashes, and read the errors that mean you chose wrong.
- Kerberoasting: turning a service ticket into a domain password
How Kerberoasting actually works, why any domain user can do it, and the exact path from a krb5tgs ticket to a cracked service account password with hashcat.
- The wordlist and rules setup that actually cracks passwords
rockyou.txt is a starting line, not a strategy. How to combine curated wordlists, rules, masks and targeted lists, and when each one is a waste of GPU time.
- Mask attacks and keyspace: brute force that actually finishes
Build hashcat masks with charsets, do the keyspace math, use custom charsets and increment, and know when -a 3 beats a wordlist and when it is hopeless.
- Tuning hashcat for real GPU throughput
Benchmarks lie if you read them wrong. Workload profiles, optimized kernels, thermal throttling, multi-GPU and segmenting big attacks, with honest cloud rental math.
- What salts actually do (and what they do not)
Salts kill rainbow tables and shared-hash leaks. They do not slow a single targeted crack. Why salted MD5 is still weak, and why you need a slow KDF too.