Complete @hashcat benchmarks on the @NVIDIAGeForce RTX 5090 FE! Running nice and cool so far with solid improvements across the board. Most hash modes got at least a 20% uplift over the RTX 4090 and some modes boasting quite a bit more! Full Benchmark: https://t.co/aJ9zI1HjGM

While the intent is likely good, machine random passwords including uppercase, lowercase, numbers, and symbols only need to be ~13 characters regardless of hashing algorithm (ignoring truncated algos like LM or DEScrypt). Worth knowing for envs where “short” limits still exist.

First look at the dynamic hash-mode support in upcoming hashcat, powered by the new Rust Bridge. No coding needed: write your pattern on the command line. Don't want to wait for Release? Try it now via GitHub master or https://t.co/B0Ik8dvvmv. Feedback welcome on our Discord

hashcat v7.1.0 released! This update includes important bug fixes, new features, and support for new hash-modes, including KeePass with Argon2. Read the full write-up here: https://t.co/rg8zfMUt3B

We just finished the Jabbercracky password contest at DEFCON 33! Check out our writeup on using the new Python Bridge in hashcat 7 for rapid prototyping a solution to an unsupported hash mode: https://t.co/HG3o80bAbt

Team Hashcat took first place in the Jabbercracky contest at #DEFCON33! Thanks to HashMob for putting up a great fight and congrats on 2nd place! We're looking forward to your write-up! Huge thanks to Jabbercracky, @Stealthsploit, and @PasswordVillage for organizing!

Wrote up a new blog entry on improving the OMEN password cracking algorithm. The changes have also been included in the new version of the PCFG password cracking toolset. Link:

Some comments say the password should be hashed client side. No, that is not good practice: - you’re replacing the password with hash(password), all else equal, so no benefit there. New hashed pw can still be stolen. - it still needs to be salted and hashed on the backend. -

hashcat v7.0.0 released! After nearly 3 years of development and over 900,000 lines of code changed, this is easily the largest release we have ever had. Detailed writeup is available here: https://t.co/fxAIXNXsEr

Yep, there's something seriously wrong here. I've just walked in from a night out. The UI has logged me out - but the endpoint for fetching passwords still has everything in plain text. You might want to fix this @CyberFoxLLC

Are you really decrypting the entire vault on the server? I'm able to call the vault GET API and see everything in plain text - outside of the app!

https://t.co/eiqoc16zXL

July 15th 1991: 34 years ago I published the first “modern” password cracker…

This is one of the reasons so many apps are still vulnerable in 2025. This "master of information security" recommends #SHA256 to hash passwords and uses salts to defeat rainbow tables. #sigh

Tired of your password rules being half-baked? The CsP kitchen’s been cooking up something better. RuleChef serves Markov-seasoned rules that actually make sense. No more recipe-for-disaster rule sets. https://t.co/t2UHVtDbpj

“the password will be hashed via SHA-512 before being passed to bcrypt” @bunjavascript makes the classic mistake of prehashing before applying bcrypt instead of enforcing an input length limit. This is not only less safe, it’s specifically called out here

Test hashes are live! Test your submission platform / scripts.

https://t.co/ffhnXpLH4V

Question: Is there a repository of password/credential spaying wordlists collected via honeypots (or similar methods). Bonus points if it is indexed by known threat actors. This would be an amazing resource for researchers.

Not sure what the expected service life is for a Yubikey, but my oldest(>10yrs of hard use) is still going strong despite lacking a little luster. I guess this is what @Yubico means when they say “strong multi-factor”. 🔐