Password cracking and choosing the right tools

This is mainly a long story about password cracking. The informational piece is that if you're cracking passwords, you probably want a Radeon, and I'll be damned if Windows isn't a valid option.

I've always liked to think that I'm pretty pragmatic. There's no denying, I'm a huge fan of Linux, and I mock Windows whenever I can. But when it comes to deploying solutions for customers, sometimes Windows is just the right fit, and that's what I deploy. No fuss, no muss. The customer and I may share a moment of quiet, bitter rage while looking at the cost of software, but to the customer it's the price of doing business.

Now we turn the tables on me. I'm at home, and I get an email from my friend about a password that needs to be cracked. Mind you, I say this completely seriously, this is a legitimate request. My friend runs a company that provides IT services for companies in our metro area that are too small to have their own IT staff. On a Friday he notified me that one of his customers had password protected his Excel file, and he desperately needed to get into it.

He had gone as far as to get me the hash using a Python script called This put the hash in a format that John The Ripper would accept. I take the hash, and find that it's an old version of Office...Oh wait..."It's an older version Office, but it checks out." There, Star Wars reference out of the way. He sent me this hash and said he was trying John The Ripper, but he was only getting ~140ish hashes per core, and for a potentially 9 character password, that would be effectively uncrackable.

"Ah, but how do you know it's 9 characters," I ask, hoping that the answer will help me build a mask in Hashcat. And sure 'nuff, it does. The client apparently builds his passwords in a specific manner, which my friend relayed to me. Perfect! Now we have a 9 character password. With the mask, it basically gets boiled down to effectively a 5.5 character password. Now we're cooking with gas!

So at this point, I have 2 options. I have 2 video cards in my machine, with the intent of getting KVM passthrough to work one of these days "when I have time." :eyeroll: Linux is currently using the GTX 660 that was gifted to me, and I have no drivers applied to the Radeon R9 270. I could boot into Windows and use Hashcat there. But I don't know how Windows affects the performance of Hashcat, if at all. In my experience, Windows is a steaming pile of garbage when it comes to IO in general, so I opt to stay in Linux, and just use the GTX 660.

I set Hashcat to cracking the password, and with the GTX 660 I'm getting about 5.3 million hashes per second (about 4.8 million hashes when running Minecraft). Total possible permutations after the mask is applied: 1,431,576,185,000 (that's about 1.4 trillion, burned down from what otherwise would have been about 6.3 quadrillion without the mask) . Hashcat's early estimates are that it will burn through all possible permutations in about 3 days, 19 hours. Okay, not terrible.

That eventually went off without a hitch. About 2.5 days layer, Hashcat happened upon the password, and we got it back to the customer who, of course, immediately remembered it upon seeing it. That's how human memory works.

But I was a little sad, because the Radeon has always been a better password cracker. If the drivers weren't in such a state of flux in Linux, I could have used it. This lead me to install Ubuntu 14.04 on a spare machine, rip the R9 270 out of my computer, and put it in that computer. Even old drivers with the old version of Ubuntu just wasn't cutting it. So, out of desperation, I plopped a Windows 7 image onto the machine.

Let me tell you, installing drivers in Windows isn't some kind of magical fun-time experience. It took me about 2 hours to get that system running. The first problem being LAN drivers. It was with no small amount of irony I went back to my Linux machine to get drivers for Windows. And then installing the Radeon driver. Oh my gawd, installing the Radeon driver.

But, I must reel myself back in. This is not a Windows bashing thread. Windows did me a solid here. I got the Radeon drivers in place (finally), and set the machine to doing a benchmark in Hashcat. Hashcat then went through all of the hash types it knows how to deal with (which is a fscking lot, btw), and wouldn't you know it, we come to old Office hashing, and the 270 clocks in at about 38 million hashes per second.

So what could potentially have taken the better part of 4 days with the GTX 660, would have taken just under 11 hours with the R9 270. It actually makes me want to throw the 270 back in my desktop, boot into Windows, and see if I can run the 660 and 270 side by side with Hashcat. It's not like the 660 isn't adding value here.

So, lesson learned. Shame on me for discounting Windows out of hand. If there is a hit to IO for using Hashcat in Windows, it is easily overshadowed by the Radeon's sheer badassery.


As a rule of thumb I tend to segregate my GPU purchases, and use nvidia on my linux systems and AMD on windows because of this. In fact, I Have a VFIO rig set up precisely for this reason, with a 1070 on the host and a fury on the guest.