Show HN: I Dedicated 4 Years to Mastering Offline Password Cracking
ZH version is available. Content is displayed in original English for accuracy.
I am Bojta Lepenye, and first of all, I want to thank the core developers of Hashcat. In my experience, it is quite literally the most capable tool available for offline password cracking across a wide range of use cases.
I have spent the last 4 years (from age 14 to 18) extensively working with Hashcat and the tools surrounding it, and I have documented what I have learned throughout that time (since January 18, 2022) in my first book. During that period, I also had to continuously update and rewrite major sections as the field evolved. One example was the introduction of GPU support for Argon2 and other memory-hard password hashing algorithms, which significantly changed some cracking workflows.
My passion for this book, or its “quick starter,” if you will, came from an ethically conducted penetration test I performed with full authorization at my school. This is something I am both hesitant and quite proud to acknowledge.
At the beginning, I simply wrote down everything I had learned from YouTube videos and online blogs. However, not long after starting my project, I realized I practically knew nothing about password security, and that small 10 to 15 pages I had written would never be enough if someone was looking for a professional guide to cracking passwords.
The other main driving force behind the book was the fact that while researching online, browsing forums, reading academic papers and white papers, watching videos, exploring blogs, inspecting presentations, and examining infographics, I did not find a single source that comprehensively covers and explains everything one needs to understand about offline password cracking. Literally. Not one.
Therefore, I continued my research and learned about password hashing algorithms, the security properties of hash functions, advanced hash cracking techniques, password analysis, attack optimization, and much, much more.
From the very beginning, I wanted to share this knowledge with the community because having access to a resource like this would have helped me tremendously when I first started learning password cracking.
I sincerely hope this work will be useful to both beginners and experienced professionals alike, and I look forward to hearing your thoughts and feedback.
I have also put together a little video to give you a little sneak peek into it. It is on Google Drive. It is the official domain, and you do not need to download anything. Here it is: https://drive.google.com/file/d/13LeysSZO8Mx-LGKt8UQjUGBKOYH...
If you are interested, the book is now publicly available on Amazon, and can be read for free with a Kindle Unlimited subscription: https://www.amazon.com/dp/B0GX36XRCD
Discussion (24 Comments)Read Original on HackerNews
This book is currently not really relevant for me, so I just skimmed the samples on Amazon. I found the technical content to be reasonably accurate and interesting although sometimes a little bit verbose (e.g., the section about 'what is a password') or slightly imprecise. In general, I think this book might have benefited from a thorough copyediting pass. There are quite a few grammar errors and unpolished sentences in the book, e.g.:
> The reason why Linux is imperative is that well, for one, most of the tools we will use, while indeed have builds for other systems, like Windows, in this book we will work with Linux.
Wishing you success and keep on writing!
I've hopped through the book and it seems carefully laid out and organized. I may come back at you with questions once I've read further. Cheers.
Why not put the video on YouTube?
You think this stuff is some kind of secret or illicit knowledge?
The video is just less than half a minute of him flipping through some pages in the book anyway.
Even Claude will help you setup hashcat and co without complaining?
I would love to hear more about the process of writing and preparing it for publishing. It's self-published? How did you do the typesetting and the diagrams?
probably a lot of ppl lost crypto this way.
Wikipedia states that there were some field unencrypted, sure, but not the critical data.
More people probably lost crypto by forgetting their passwords like a friend of mine. 10k gone
You mean "lost things" in quotes. Management may have been more concerned about jail time.
In fact, the people most interested in password cracking are usually criminals.
But good luck with the book. It’s just not a hugely in demand topic.
People simply didn't /know/ about them/that they existed at all.
I went to a computer/electronics shop in town and asked for them.
The guy told me: "We don't stock them because people don't ask for them."
Otherwise you do find plenty of people on YT walking you through hashcat. The first YT Video alone has 7 Million views: "how to HACK a password // password cracking with Kali Linux and HashCat"
I wish him luck, great drive to do this, i hope it works out well enough, books are just in general not easy to sell.
I'd say that this is a bit relevant to the entire field of cyber security and a good chunk of development roles. If you're not concerned about how password hashing (which is a key component of understanding cracking) works as developer-- I'm not sure what to say. While not all of the in-depth research is probably needed. It's definitely relevant to many technical fields. I work in offensive security and we use tools like this daily in our industry. And no we are not cyber criminals.