13. 11/7/2018 14
@wicusross
2832 targets per TLD that
exposed passwords
2178
167
55
269
163
0
500
1000
1500
2000
2500
co.uk ac.uk gov.uk org.uk Other
14. 11/7/2018 15
@wicusross
• 6 x AMD RX580 8GB GPU
• Hashcat
• Keyspace included all characters,
numbers and symbols, both upper
and lower case
• 6 values in less than 2 minutes
• 7 values in less than 20 minutes
• 8 values in less than 2 days
• Run over 8 weeks
• Against ~½ million hashes
17. 11/7/2018 18
@wicusross
• One to six characters = 1929 (0.42%)
• One to eight characters = 85106 (18.75%)
• More than eight characters = 368892 (81.25%)
21. 11/7/2018 22
@wicusross
Lowercase Only, 0%
Uppercase Only, 0%
Alpha Only, 0%
Numeric Only, 0%
First capital last
symbol , 6%
First capital last number , 32%Contains Month, 6%
Contains Day, 2%
Contains Year, 12%
Single digit end, 6%
Two digits end , 15%
Three digits
end, 9%
Mystery!, 12%
Other, 2%
Lowercase Only Uppercase Only Alpha Only Numeric Only First capital last symbol
First capital last number Contains Month Contains Day Contains Year Single digit end
Two digits end Three digits end Mystery!
PREDICTABLE FORMATS