Hashcat Password Cracking & Password Policy

You probably have numerous passwords for different digital user accounts. When creating new accounts, you usually have to meet certain requirements for a secure password. In this first of four blog posts, we explain how you can protect yourself from password cracking with a good password policy.

Table of Contents

Password Policy

Passwords are the essence of today's IT and all connected systems. They basically define the security of the systems and are often a source of controversy in the company between IT, management and employees.

In addition to the Default Password Policy, there are other options such as the Fine Grained Password Policy. This offers a much more granular protection and only uses the standard if the user is not already in one of the so-called PSO groups. So only in an absolute emergency.

Attention: The default domain password policy is limited to 14 characters, more is not natively possible.

Run through attack scenarios under realistic conditions?
You can do it legally in our holistic hacking lab!
To the Junior Penetration Tester course

The Microsoft Security Baseline specifies 14 characters as the maximum value. Thus, if 15 characters are required, the policy is overridden and 8 characters can be entered again.

To support your employees, there is the option of using other means such as chip cards, dongles or biometrics in addition to two-factor authentication. Despite the reduced complexity, this makes it possible to keep security high.

Offense: how to exploit weak passwords?

Weak or insufficiently complex passwords can come in two forms: plain text and hashed. Of course, complex, long passwords can also be transmitted in this way. We assume here that these are sufficiently secured or that decryption would take too long with the hash variant.

Due to the increased computing power and graphics cards, which even enable virtual realities, a standard password with 8 characters can be decrypted after minutes to hours. Especially when passwords are created from "normal" words with numbers or the so-called leetspeak, it is easy for the attacker due to existing password tables.

Which systems are to be considered?

Basically every system has to be considered.

Servers, clients, cloud services, printers and software such as an ERP system.

Potential attackers often look for “low privileged users” as a basis for attack, in order to then spread horizontally or vertically in the network from there. Here even the compromise of a simple user with very limited authorizations through weak passwords can be sufficient.

What actually is password cracking?

Password cracking is a special field of cryptanalysis, i.e. the science that deals with cracking passwords. Password cracking is used to crack encrypted passwords, i.e. to return them to their unencrypted original form. Numerous techniques, methods and procedures are used for this, some of which are presented in the following article.

Why are we doing this

Devices, services or entire domains are often compromised as part of penetration tests. However, the passwords stored there are now encrypted using cryptographic hash functions. In order to get these passwords in plain text, the encryption has to be cracked, in technical jargon "cracked". If these passwords are "cracked", access to a large number of services is possible: Individual file shares, user accounts or entire ADs can be easily attacked. Because it is often sufficient to compromise only a few key users in order to gain extensive access.

In a penetration test, this offers the possibility of gaining large-scale access right from the start with little knowledge of the network and its devices. The attacker only needs the password hashes, which ideally can be obtained via a MitM attack. These password hashes can then be cracked with almost unlimited computing power. Cloud providers, where you can rent computing power for relatively little money, enable attacks on passwords that would have been unthinkable just a few years ago.

How does password cracking work?

Passwords can be cracked in a variety of ways, the most popular being brute force, dictionary, hybrid, and combinator attacks. All of these attacks are characterized by the fact that they are only one possible method to crack passwords. There is no “best” attack in this form, because passwords always differ enormously from one another and successful attacks cannot be generalized to other passwords. On the other hand, it is important to know all attacks in their basic forms and to be able to use them creatively or reinterpret them. Password cracking is therefore a topic that is easy to get into. However, in order to lead it to the mastery, it requires a lot of time, knowledge and also computing power.

Brute force attacks

The brute force attack is based on trying out every possible combination, which leads to an immense number of possible combinations as the password length increases. Despite greater computing power, which makes it possible to try out several hundred billion passwords per second, passwords over 10 characters cannot be "cracked" in an acceptable amount of time using pure brute force and currently available hardware. However, it must always be considered here that on the one hand the available computing power increases massively, as well as the prices for such powerful hardware continue to fall. The development of graphics cards over the last 10 years shows this very well, so you need less and less money for the same performance or you can buy more performance with the same money. However, bruteforce is far from the only way to crack passwords and can be further supplemented and improved.

Hashcat “advanced password recovery”

Hashcat is software for "cracking" passwords or their hashes. Hashcat is run and operated on the command line. It runs on all operating systems and supports CPUs, GPUs and FPGAs, but using Linux (server variant) with Nvidia graphics cards is recommended. Graphics cards are generally much more effective than processors and are therefore recommended. Ubuntu with the proprietary Nvidia drivers and CUDA is recommended as a Linux distribution. Hashcat should always be compiled yourself, as this will use the latest version and avoid compatibility problems.

Hashcat syntax

					hashcat -a (attack mode) -m (hash mode) path/to/hashfile path/to/dictionary   

This syntax can be extended with further options, which are explained below.

Hashcat Attack Mode

This determines the attack type. You can choose between the following variants.

					-a 0 Wörterbuch
-a 1 Kombinator
-a 3 Bruteforce
-a 6 Hybrid + Masken
-a 7 Maske + Hybrid
-a 9 Association 

Dictionary Attack is the default attack and is a good choice most of the time. The other attacks are tailored to different situations and develop their strengths there.

Hashcat HashMode

The hash mode specifies which hash type should be cracked and is specified using -m (number). NTLM e.g. B. is numbered 1000 while SHA1 is numbered 100. All numbers can best be found in the Hashcat Wiki look up.

hash mode

Hashcat Attack Mode Brute Force

The brute force can be specified using character sets, so passwords can be mapped in the following formats.

					?d = Zahlen von 0-9
?s = Sonderzeichen
?l = Kleinbuchstaben
?u = Großbuchstaben
?a = alle Vorherigen

You can use these character sets to create your own masks, which can be used to search for passwords in a more targeted manner.

You can also define your own character sets to display special letters (Chinese, Arabic, Russian, ...). This is done with the option -1 (own character set). The -i option can be used to specify that the length of the bruteforce attack is increased, i.e. it starts with a character and then increases further.

Hashcat Brutforce examples

Brute force on a password consisting of an unknown set of numbers.

					hashcat -a 3 -m (hash mode) hashfile.txt -i ?d?d?d?d?d?d?d?d?d

Bruteforce on a password consisting of 5 letters and and 4 unknown characters at the end.

					hashcat -a 3 -m (hash mode) hashfile.txt ?u?l?l?l?l?a?a?a?a

Brutforce on a password with partially known content.

					hashcat -a 3 -m (hash mode) hashfile.txt ?u?l?l?lword

Brute force on a password with your own character set.

					hashcat -a 3 -m (hash mode) hashfile.txt -1 ?d?s ?1?1?1?1?1?1?1?1

Brute force a password with German umlauts and automatic renewal.

					hashcat -a 3 -m (hash mode) hashfile.txt -1 charsets/German.hcchr -i ?1?1?1?1
Do you want to get started as a penetration tester?
Qualify for your dream job with our practice-oriented intensive course!
To the Junior Penetration Tester certificate course

Defense: Ways to prevent the attack

The key to success is the implementation of a complex password policy. This can be done via the "Default Password Policy" or via a "Fine grained password policy".

For the default password policy without additional tools (biometrics, cards, etc.), at least 12 characters including complexity should be selected. We also recommend changing your password regularly, at least once a year. According to the current BSI recommendation, a regular password change can be dispensed with, but this is explicitly linked to the condition that compromised passwords are recognized promptly. However, experience has shown that in the majority of the existing infrastructures, this is possible without SIEM or extensive monitoring, combined with a connection to common sites such as https://haveibeenpwned.com is hardly possible.


BSI document "ORP_4_Identitaets_und_Authorization_Management_Editon_2020"

Recommendations for regulating password use – see ORP.4.A__.

ORP.4.A23 Regulation for password-processing applications and IT systems [IT operations] (B) IT systems or applications SHOULD ONLY request a password change with a valid reason. Purely time-controlled changes SHOULD be avoided. Action MUST be taken to detect password compromise. If this is not possible, it SHOULD be checked whether the disadvantages of a time-controlled password change can be accepted and whether passwords are changed at certain intervals.

The password should contain at least three of the four possible complexity requirements. A history of 24 passwords is recommended and blocked if incorrect entries are made too often.

Important: This does not apply to administrators. In addition to the size, there must be no so-called threshold here, otherwise there is a possibility of denial of service.

If all accounts were attacked at the same time, with the same policy, everyone would no longer be able to be unlocked and the company would be at a standstill. The threshold is one of the most useful settings to prevent brute force attacks.

Group Policy Management
Group Policy Management

Fine grained password policy

In addition to the default policy, a significantly higher level of granularity can be created with the Fine Grained Password Policy. It allows permissions to be grouped together, increasing complexity as needed.

To do this, several steps must be carried out.

The PSO groups must be created under the user and computer administration

AD users

The creation of three groups can be seen here as a suggestion. Of course, it can be made even more granular by power users, for example.

The tree view must then be selected under the Active Directory administration center and then the item Domain -> System -> Password Settings Container

This is followed by the actual creation of the PSO objects (Password Security Objects), which can be configured as follows, for example.

Important: As already described in the Default Password Policy, it is very important that administrators do not receive an account lockout, otherwise access will no longer be possible in the event of a brute force attack.

First the Administrative PSO with the assignment of the corresponding group.

The ranking decides on the processing of the groups.

Password length should be at least 16 characters

Saved passwords 36

PSO Admin

Then management / power users

Starting with this group, we recommend implementing the account lockout policy at the unlock level. A time-based setting is also common, but can be leveraged by modern attacks due to delays when attempting to enter a password.

If a user has ten or 15 incorrect entries, a reset is often necessary in general.


And finally the standard user.

PSO user

For all groups, accidental deletion must be ruled out. A clear description of who is subject to which password policy is also recommended.

After successful creation, the processing of the password policy is as follows.

1 Domain Default Policy

2 PSO group > by rank order

3 PSO users > by ranking

When ranking the PSO, the lower value applies. Therefore, an administrative user can exist as a PSO User and PSO Administrator, but must always comply with the PSO Administrator guidelines.

Basically: Do not apply to individual users, as it becomes difficult and confusing to manage.

The default domain policy should also be configured as a fallback. If a user is not in a PSO group, the default domain policy still applies.

Support your employees here with all the means at your disposal so that no easy passwords (pet, partner, etc.) are chosen. At least for the administrators should be a Password manager be available. Helpful instructions and user awareness training are up-to-date and gladly seen as support.

In addition, two-factor authentication (2FA) should always be used whenever possible. This increases the effort for attackers enormously, since it means that a mobile device, a mobile phone number or apps have to be additionally compromised.

Password policies in Azure AD

In modern AD environments, there are several ways to counteract weak passwords. In addition to the well-known password policies, this can also be supplemented with block lists. In this way, weak passwords that meet the password policies but are still insecure can be filtered out. Typical examples of this would be combinations of company name, location or product name and numbers and/or special characters. Due to their low complexity, these passwords endanger the security of the entire company, since often only individual users are sufficient to compromise the entire domain.

Microsoft offers two options for this: In Azure AD environments, Microsoft's own block lists are applied to all passwords by default to prevent the use of weak passwords. These lists are developed by Microsoft and contain weak passwords used worldwide. You can also specify your own lists of blocked passwords in order to better reflect local peculiarities. In the case of the user-defined block lists, it is advisable to use the root words of the passwords, i.e. instead of company name!*'#02 only use company name, since the permutation is carried out automatically by the AD. These two types of password block lists can only be implemented in Azure AD/ mixed deployments, this is not possible with on-premise AD. The appropriate license is also required (Azure AD Premium P1)

Authentication methods

Detect: How can I detect the attack?

Offline cracking with Hashcat is not possible, since this is usually done on other systems. Brutforce attacks against your own systems can be recognized very well. Above all, this requires good monitoring of e.g. B. Incorrect entries, which could indicate brute force attacks. Intune can also be relevant here for cloud services, which recognizes impossible travel activity or unknown IP addresses and, if necessary, blocks them directly from using the password.

React: How do I deal with detected attackers on the network?

The basic question is: What can the attacker do with the data he has access to and what is the internal handling like? Simply logging in may not contain enough information for criminal prosecution. For internal security, an immediate blocking of the user and blocking of the attacker's IP address would be desirable.

Related Links


When dealing with the following ISMS framework controls, the vulnerability and its elimination play a role:

ISO 27001:

A.9.4.3 Password Management System 

BSI Baseline Protection:




Don't want to waste time on your way to becoming a penetration tester?
In our courses, led by experienced penetration testers, you will learn everything you really need for this.
Go to the Junior Penetration Tester Intensive Course
Follow for more!
Newsletter Form

Become a Cyber ​​Security Insider

Get early access and exclusive content!

By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!

Table of Contents

NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices

By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!