Not sure what the expected service life is for a Yubikey, but my oldest(>10yrs of hard use) is still going strong despite lacking a little luster. I guess this is what Yubico | #YubiKey means when they say “strong multi-factor”. 🔐

Question: Is there a repository of password/credential spaying wordlists collected via honeypots (or similar methods). Bonus points if it is indexed by known threat actors. This would be an amazing resource for researchers.

Test hashes are live! Test your submission platform / scripts.

“the password will be hashed via SHA-512 before being passed to bcrypt” Bun makes the classic mistake of prehashing before applying bcrypt instead of enforcing an input length limit. This is not only less safe, it’s specifically called out here cheatsheetseries.owasp.org/cheatsheets/Pa…

Tired of your password rules being half-baked? The CsP kitchen’s been cooking up something better. RuleChef serves Markov-seasoned rules that actually make sense. No more recipe-for-disaster rule sets. github.com/Cynosureprime/…

This is one of the reasons so many apps are still vulnerable in 2025. This "master of information security" recommends #SHA256 to hash passwords and uses salts to defeat rainbow tables. #sigh

July 15th 1991: 34 years ago I published the first “modern” password cracker…

Are you really decrypting the entire vault on the server? I'm able to call the vault GET API and see everything in plain text - outside of the app!

Yep, there's something seriously wrong here. I've just walked in from a night out. The UI has logged me out - but the endpoint for fetching passwords still has everything in plain text. You might want to fix this CyberFOX

hashcat v7.0.0 released! After nearly 3 years of development and over 900,000 lines of code changed, this is easily the largest release we have ever had. Detailed writeup is available here: hashcat.net/forum/thread-1…

Some comments say the password should be hashed client side. No, that is not good practice: - you’re replacing the password with hash(password), all else equal, so no benefit there. New hashed pw can still be stolen. - it still needs to be salted and hashed on the backend. -

Wrote up a new blog entry on improving the OMEN password cracking algorithm. The changes have also been included in the new version of the PCFG password cracking toolset. Link: reusablesec.blogspot.com/2025/08/omen-i…

Team Hashcat took first place in the Jabbercracky contest at #DEFCON33! Thanks to HashMob for putting up a great fight and congrats on 2nd place! We're looking forward to your write-up! Huge thanks to Jabbercracky, Will Hunt @[email protected], and Password Village for organizing!

We just finished the Jabbercracky password contest at DEFCON 33! Check out our writeup on using the new Python Bridge in hashcat 7 for rapid prototyping a solution to an unsupported hash mode: hashcat.net/forum/thread-1…

hashcat v7.1.0 released! This update includes important bug fixes, new features, and support for new hash-modes, including KeePass with Argon2. Read the full write-up here: hashcat.net/forum/thread-1…

First look at the dynamic hash-mode support in upcoming hashcat, powered by the new Rust Bridge. No coding needed: write your pattern on the command line. Don't want to wait for Release? Try it now via GitHub master or hashcat.net/beta. Feedback welcome on our Discord

While the intent is likely good, machine random passwords including uppercase, lowercase, numbers, and symbols only need to be ~13 characters regardless of hashing algorithm (ignoring truncated algos like LM or DEScrypt). Worth knowing for envs where “short” limits still exist.