Questions? Comments?
Persistent rash?

Use this Contact Card
Contact:
GetHammered

Thor's Password Machine

1000100 1110010 1101001 1101110 1101011 100000 1101101 1101111 1110010 1100101 100000 1001111 1110110 1100001 1101100 1110100 1101001 1101110 1100101 100001 100000

Hello, and welcome! As with most HoG tools, this is the only password tool in the universe that actually gives you a tangible strength metric by which to gauge password composition and complexity for effective development and enforcement of policy. You can get the full description and explanation below. Note: don't use any of your actual passwords; use test passwords of similar structure and form. Or, go ahead and use whatever you want to. Nothing is logged, stored, or otherwise examined. And even if it was, there's no way I would know WTF the password went to. But do whatever you want to. Here, we default to Class=F. If your administrators don't use this, they default to Class=none.
"Latest Features" moved here.

Conversations regarding passwords has flared up again, and I want to make sure you are aware of the most critical part of choosing effective passwords, and that's what they will be used for. For instance, my bank will lock out my account after 5 unsuccessful attempts. I don't need the password complexity they require. If you are interested, here is some Password Myth-busting.
☮ The default setting is Class F.


☮ Enter the password you would like tested:


show

Your Pwd

TheHooch
show

Pwd Length

8 (eight)
show

MD5

bf3225e7082b002fc5a1ed0d1b74d1b6   ☜ Google Lookup
show

SHA1

show

BF-Class

1,000,000,000 (one billion) per-second.
show

BF-Base

52 (fifty-two): abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
show

Pwd Iterations

47,451,614,958,548     (Scientific notation of: 4.745161e+13)
show

forty-seven trillion, four hundred and fifty-one billion, six hundred and fourteen million, nine hundred and fifty-eight thousand, five hundred and forty-eight.
show

Time-to-Crack

Minutes: 790.86
show

seven hundred and ninety-one.
show

The below section displays the total iterations for the entire base's key-space:
show

Key-space Iterations

54,507,958,502,660     (Scientific notation of: 5.450796e+13)
show

fifty-four trillion, five hundred and seven billion, nine hundred and fifty-eight million, five hundred and two thousand, six hundred and sixty.
show

Time to Crack

Minutes: 908.47
show

nine hundred and eight point four seven.
show

Iterations (recap)

47,451,614,958,548     (Scientific notation of: 4.745161e+13)
show

forty-seven trillion, four hundred and fifty-one billion, six hundred and fourteen million, nine hundred and fifty-eight thousand, five hundred and forty-eight.
show

Seconds

47,451.61
show

four hundred and seventy- thousand, four hundred and fifty-one point six one.
show

Minutes

790.86
show

seven hundred and ninety point eight six.
show

Hours

13.18
show

thirteen point one eight.
show

Days

0.55
show

zero point five five.
show

Years

0.00
show

zero.
 Click printer icon for hard copy.
T
TPM's Featured Feature!
MD5 and SHA1 hash generation, with an automatic link to Google to see if your hash is out there.
Not only are "Rainbow Tables" far overrated, some actually consider them some sort of "magic" password cracker. They are great tools against specific, known character composition hashes - i.e. passwords consisting of Upper/Lower/Digits with up to, say, 9 characters or so. And they are almost a requirement for repeat engagements where they have been built specifically for any given scenario. But, the thing to remember about RTs is they cannot match against anything they are not generated for. To show where they can be effective, I've used "Scorpio" as the password I want to check - it would require at the least tables comprised of Upper and Lowercase letters and character sets of at least 7 characters. The image to the right shows how the straight (unsalted) password is easily found just Googling for the hash, itself.
Stacks Image 170
Rainbow Tables are impotent against "decent passwords" with a cryptographically strong salt. Since you are reading this, you're obviously using TPM to gauge your passwords so you have an idea what that means. Actually, you could have "crab" for your password and a proper salt will thwart RTs - that's kind of funny too as crabs properly seasoned are yummy. Unless you got them in Vegas. Anyway, where RTs CAN be of use is if you have an unknown salt, but somehow the Ghost of Bob Marley has told you the passwords *and* salts together are less characters than the maximum generation of the RT. It's a good bit entertaining to hear what some folks think RTs are. Now try "Scorpio" with the SHA1 link. Scary, huh? Actually, it's not. The default password of "TheHooch" has no matches, as no one has gone through the trouble of created a rainbow table for upper and lower case letters. They're available, but apparent not online. You see, Hash is Hash (unless you're in Taiwan). The main difference is length, which is a manifestation of the hashing algorithm. Every character combination's hash is theoretically unique. No word other than "Scorpio" should have the SHA1 hash 267d8ca2af1eefa7c7c5fb508f24a3c218725a2a. Notice the "should." The MD5 algorithm has produced "collisions" where two inputs have the same output. Theoretically, if your password is ShammaLammaDingDong, I just might be able to use "TheHooch" to get in to your account. SHA1 has mo, betta, and different algorithms, and supposedly is supra-resistant to collisions. But we'll never know. Actually, just use SHA256 to compare logon data with restored hashes and this all becomes academic.
So that's that.  The above checks are made when you generate your keys so that you have the little extra bit of security.
Stacks Image 95