|Type of Hash||Cracking Performance|
for 4 Hashes
|Windows 7||1.3 sec. with dictionary of 500,000 words||Instructions|
|Linux||20 sec. with dictionary of 500 words||Instructions|
|Wordpress||4 min. with dictionary of 500,000 words||Instructions|
|Joomla||1.1 sec. with dictionary of 500,000 words||Instructions|
Wordpress hashes are now $P$B type phpass: 8193 iterations of MD5, with salt
Drupal 7 hashes are $S$C type phpass: 16385 interations of SHA-512, with salt. They are even more secure than Linux hashes, as shown below.
Linux passwords are 5000 rounds of SHA-512, with salt.
As shown below, john took 3.6 seconds to crack Linux hashes, but 39 seconds to crack Drupal 7 passwords. This verifies that Drupal 7 passwords are even more secure than Linux passwords.
Cracking Linux Password Hashes with Hashcat
Cracking Windows Password Hashes with Hashcat
The results were impressive and easy to understand.
By default, Kali Linux uses Type 6 Crypt password hashes--salted, with 5000 rounds of SHA512.
It takes 20 seconds to crack four hashes like that, using a dictionary of only 500 words (a very small dictionary).
Windows 7, however, uses NT hashes--no salt, one round of MD4.
It takes 1.3 seconds to crack four NT hashes, using a dictionary of 500,000 words.
So Windows hashes are more than 10,000 times weaker than Linux hashes.
Posted 1:56 PM 6-16-13 by Sam Bowne
Added Wordpress and Joomla Hashes 11:40 am 6-19-13
Added Joomla Security Extensions 3:53 PM 6-19-13
Linux instructions link fixed 4:30 PM 6-19-13
Drupal information added 4:28 PM 6-20-13