Password Cracking 201: Beyond the Basics

Presented at BSidesLV 2017, July 26, 2017, 3 p.m. (55 minutes)

"Are you a password cracker ... or do you just crack passwords?" -epixoip My goal with this talk is to help occasional, casual, and non-specialist practitioners bootstrap themselves to the next level of password auditing. After briefly touching on the basics, I will cover some common pitfalls, some non-obvious assumptions made by the experts, and other lessons from my pursuit of password cracking as a dedicated discipline. Key takeaways include specific cracking techniques, perspectives on cracking culture, and ways to advance further under your own power. Prerequisites: Previous experience with cracking tools (hashcat, John the Ripper) and concepts (brute force, masks, rules, keyspace, etc.) is helpful, because we won't spend a lot of time on the basics. But anyone interested in learning more about password cracking is welcome!


  • Royce Williams - Password auditor & enthusiast
    After 13 years as a sysadmin for a regional ISP in Alaska, I jumped into security full time in 2012 for the financial sector and critical infrastructure. As an independent researcher and a Hashcat beta tester and contributor, my password research interests include deliberately published hashes, DES crypt in its historical context, artificial hashes, and advancing password cracking as a profession. More generally, I am interested in regional vulnerability management and incident response, TLS auditing, and enterprise asset detection and analytics. I belong to the ACM, USENIX, and the SANS Advisory Board. In my spare time, I apply my undue diligence to the taxonomy of Alaskan license plates. (Yes, that's a thing.) Also talk to me about ZTEX 1.15y FPGA boards, FreeBSD, pfSense, NTP, and the Rapid7 "DNS ANY" dataset.