Password Superpowers workshop

From HOPE Wiki
Jump to: navigation, search
Password Superpowers: How to Crack Hashes and Stump Hackers
Presenters: User:Tech Learning Collective
Duration: 1 hour and 30 minutes
Participant limit: 20

Password Superpowers is a workshop slated to be included in the HOPE 2020 conference calendar that teaches password recover (hash cracking) techniques as well as secrets management (password manager) software. It was created by Tech Learning Collective cybersecurity trainers and features both demonstration and hands-on portions. Students are provided with a "practice lab" that they can run inside of a virtual machine, where numerous hash cracking software utilities are pre-installed for them.


This workshop teaches you how to use “password recovery” tools like John the Ripper and hashcat to find out what the password of a given user account or password-protected file is. By using free software programs that automates a technique called hash cracking, you can find out exactly how strong (or not) your own passwords are. Also in this workshop, you’ll learn about equally free password and secrets management apps like KeePass that help you practice good password hygiene so that you don’t reuse passwords or use weak passwords that don’t offer as much protection as you might have thought before you learned how easy it can be to “crack” encrypted passwords yourself. We'll also provide an automated lab environment for you that you can spin up on your laptop so that you can follow along with the instructor and get cracking immediately.

Full Description

Have you been “pwned”? For years, security researcher Troy Hunt has been running a website at that lets you check to see if your online accounts have been pwned—that is, if your personal information such as your password has been leaked, accessed, or (worst of all!) “cracked.” Go on, check for yourself!

If you’ve been “pwned,” this workshop is your chance to learn exactly what the risk might be, and what you can do about it. Derived from one portion of Tech Learning Collective’s popular “Hacking with Mr. Robot” (Security 101) course, this class will clarify the basics of cryptography and encryption within a context that actually applies to your day to day life online.

Learn what websites do with your password when you log in to them, and why using free password management software can make you both safer and more productive. On the flip side, learn professional techniques for recovering passwords from their “encrypted” (hashed) representation, such as using optimized wordlists, word-mangling rulesets, and employing basic doxing techniques for creating personally targeted password-cracking attacks.


Registration information TBD.

Pre-requisite knowledge

This workshop presumes no pre-existing knowledge on the subject. This is a beginner-friendly workshop. That being said, the following knowledge will be useful for students who want to take the workshop's training to the next level more quickly:

  • Basic command line experience in a POSIX environment (Bash on GNU/Linux, for instance), to work with the tools.
  • Basic understanding of computational resources, such as CPU clock speeds, to understand how to optimize hash cracking speeds.
  • Familiarity with the use or, optionally, development of login systems such as Web-based authentication flows. This is very much not required but adds a lot of context to the workshop discussion.


Workshop attendees must have a laptop capable of participating in the Web video stream, but nothing more.

Preparation for optional hands-on lab

If attendees want to try out the hands-on exercises along with the instructor, they must have:

  • A laptop capable of running Oracle VirtualBox, which means they need physical hardware with support for the Intel VT-x instruction. This excludes many low-end tablet-style devices such as models of Microsoft Surface, netbooks, and so forth. To check your system for hardware virtualization support:
    • macOS: sysctl -a | grep -E --color 'machdep.cpu.features|VMX'
    • Linux: grep -E --color 'vmx|svm' /proc/cpuinfo
    • Windows: systeminfo, then ensure "Hyper-V Requirements" features are marked "Yes" in the output.
  • HashiCorp Vagrant version 2.2.9 or later.
  • A broadband Internet connection (for timely downloading of the Vagrant base box virtual machine lab environment).
  • No less than 10GB free hard disk space in which to install the lab environment and associated wordlist assets. (15GB recommended.)
  • At least 1GB free RAM (2GB recommended).

To prepare, attendees must perform the following steps:

  1. Install Oracle VirtualBox.
  2. Install HashiCorp Vagrant.
  3. Download the workshop lab materials (which can be provided on request).
  4. Navigate to the workshop lab materials folder (cd /path/to/lab/folder) in their terminal program of choice.
  5. Spin up the lab environment by invoking the vagrant up command.

Once Vagrant completes, they can use the vagrant ssh command to log in to the lab environment, which will provide them with numerous hash cracking utilities and some hashes to crack.