Overview

Objectives

• Create a safe dataset of test hashes and dictionaries

• Run wordlist and rule-based attacks in a lab environment

• Compare tool performance and document crack times

• Produce recommendations that raise password resistance

Prerequisites

• Kali Linux or similar lab environment I control

• Understanding of hash types and offline testing ethics

• Consent and explicit scope when testing any real data

Implementation

1. Lab dataset

• Generated sample accounts and produced offline hashes in the lab.

• Labeled each entry with hash type and intended complexity so results could be compared fairly.

2. Attack strategy

• Executed dictionary and rule-based attacks against the sample hashes.

• Recorded time to crack, guesses per second, and which rules succeeded.

3. Validation

• Verified cracked values against the known ground truth from the synthetic dataset.

• Ensured no production credentials or unauthorized data were ever in scope.

4. Analysis and guidance

• Identified patterns that failed fast: common words, seasonal strings, predictable suffixes.

• Modeled the impact of longer passphrases and Multi-Factor Authentication on attacker cost.

5. Documentation

• Wrote a concise report with test setup, ethics statement, results charts, and policy updates.

Outcomes

• Evidence-based password guidance that is practical and measurable

• Training materials that show why length and randomness matter

• Safer defaults including passphrase length and Multi-Factor Authentication

Skills demonstrated

• Ethical password testing and analysis

• Hash identification and offline attack planning

• Clear communication of technical risk to non-technical users