Rendered at 11:11:42 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
raphman 2 days ago [-]
Thanks for sharing. This looks interesting. Impressive achievement.
This book is currently not really relevant for me, so I just skimmed the samples on Amazon.
I found the technical content to be reasonably accurate and interesting although sometimes a little bit verbose (e.g., the section about 'what is a password') or slightly imprecise. In general, I think this book might have benefited from a thorough copyediting pass. There are quite a few grammar errors and unpolished sentences in the book, e.g.:
> The reason why Linux is imperative is that well, for one, most of the tools we will use, while indeed have builds for other systems, like Windows, in this book we will work with Linux.
Wishing you success and keep on writing!
copypaper 2 days ago [-]
Yea after skimming the samples on Amazon I noticed that nearly every single sentence had at least one comma in it (adding zero value). It feels like I'm reading someones thoughts.
Personally, I love abusing commas for comments and shitposting, but they should be avoided in informative resources like books, otherwise, it looks like a word salad. Say your thoughts and ideas with boldness and certainty.
But hey you write better than I did at 18, so I ain't judging. Just trying to provide helpful feedback for you (the op) to improve on.
dugidugout 2 days ago [-]
What did you find slightly imprecise?
raphman 2 days ago [-]
A few small things. You might call this nitpicking. And, as I wrote, I found the technical details generally accurate.
> "Then there is also the fact that having a fully-fledged graphical desktop environment running in the background at all times is not quite optimal to say the least. 99 percent of the time when cracking passwords, you will be staring
at a black terminal filled with white text, so using Windows, which is especially GUI-heavy, is usually impractical unless you are specifically
testing something or showcasing some process."
I am reasonably sure that the Windows UI has rather little practical effect on hashcat's speed, and this thread implies the same: https://hashcat.net/forum/archive/index.php?thread-8958.html
Also, 99 percent of the time when cracking passwords, I am not staring at a black terminal filled with white text.
(I am generally taking it a little bit personally when the author directly addresses me and tells me what I am probably thinking or doing.)
> "Behind a hash function are a series of complicated mathematical operations that make deriving the input from the output literally impossible."
I'd argue that the mathematical operations themselves are usually not that complicated. More importantly, the whole book seems to be about ways to derive the (probable) input of a hash function from the output. It is not literally impossible.
> "It is important to note, however, that hash functions are not truly random;"
As the author writes elsewhere, hash functions are deterministic and not random at all. Calling them not truly random seems to imply that they are somewhat random.
> "When encrypting a file or any kind of data with AES for example, the program leveraging AES will prompt you for a password. Yes, a password."
Yes, this is a book about password cracking, but there are lots of cases where programs use AES with a computer-generated key and won't prompt you for a password. E.g., TLS.
(Just to reiterate: I am not trying to diminish the author's work, I wanted to suggest ways for improvement. I might be wrong or overly pedantic.)
Cpoll 2 days ago [-]
> I'd argue that the mathematical operations themselves are usually not that complicated. More importantly, the whole book seems to be about ways to derive the (probable) input of a hash function from the output. It is not literally impossible.
I think you're not being pedantic enough here. "Probable" is doing some heavy lifting. And the phrasing is "derive the input," which I think is fair to say. The best you can do with a proper hash is discover one or more possible inputs, but you're not deriving them from the output; the output is just used to check the result. The many-to-one nature of a hash precludes determining the exact input.
raphman 2 days ago [-]
Fair point. I was initially thinking about rainbow tables. Taking a hash and looking up associated passwords in a table feels like deriving to me - but I'm not a native speaker so I might have a wrong feeling here.
(It is obvious that one cannot directly derive the exact input - but one can derive potential inputs and then use other means to find the exact one.)
Cpoll 1 days ago [-]
To me, "deriving from x" means performing a mathematical function operating on input x. By my own definition, I suppose a rainbow table lookup is a derivation, but I wouldn't consider actually computing the table to be one. Hash-cracking is more like guess-and-check than mathematical decoding; the hash to be cracked is just a verifier and not an input, which is why I make the (admittedly pedantic) distinction.
ofrzeta 1 days ago [-]
> (I am generally taking it a little bit personally when the author directly addresses me and tells me what I am probably thinking or doing.)
I think it's a canonical way to generalize the audience as in "99 percent of the time when cracking passwords, one will be staring at a black terminal filled with white text" just as in the German "man". So with that in mind maybe you no longer have a reason to be offended :)
jfarina 2 days ago [-]
It's awkwardly phrased and doesn't really say what it intends to (though, the meaning is obvious after reading it a second or third time).
As for it being imprecise, it doesn't talk about any specific software that has any compatibility issues. It dismisses the topic out of hand.
arcfour 2 days ago [-]
I do think we should keep in mind the age of the author, which still makes it a very impressive achievement!
There being room for improvement is both acceptable and expected.
raphman 1 days ago [-]
I absolutely agree. There were no other comments on this post when I wrote my comment. Thus, I wanted to encourage the author and provide some constructive feedback in case nobody else would reply.
bojta-lepenye 17 hours ago [-]
Thanks for the feedback. I did my best with grammar. Unfortunately, English is not my native language. I'll definitely keep grammar corrections in mind for future revisions!
nojvek 1 days ago [-]
In this day, I actually appreciate imperfect human written content.
Too much AI slop, perfect grammar but no substance out there.
This seems like a substance filled book.
Congrats on shipping a book.
eigenrick 2 days ago [-]
This is an amazing achievement for someone of any age, but to publish a book with this much research at 18 is phenomenal. I heartily congratulate you.
I've hopped through the book and it seems carefully laid out and organized. I may come back at you with questions once I've read further. Cheers.
MattPalmer1086 1 days ago [-]
I'll add my congratulations too.
I work in info sec - I've always been interested in password cracking and hashcat specifically, but have never had the time to devote to really dig into it. I'll check it out.
Well done!
bojta-lepenye 17 hours ago [-]
Thank you so much. I really appreciate it! Honestly, I don’t even know what to say. I’ve never had this many people comment on any post I’ve ever made.
mmastrac 2 days ago [-]
I've got an old datacenter KVM with a root password I've been unable to crack, even though it's an ancient DES one.
Does anyone have a good cloud-hosted password cracker? I can't seem to brute force it, no matter how long I let John the ripper run.
arcfour 2 days ago [-]
An EC2 instance with lots of cores like a c6i.32xlarge should do the trick, no? You could even pay for spot instances and just checkpoint frequently and copy the progress file to S3 when you get the interruption warning.
K0balt 1 days ago [-]
It’s always exciting to me when someone who has been so obviously passionate and obsessed with a technical discipline decides to take the time to write down what they have learned to help others. This is literally the foundation of civilization and what makes me happy to be a post-agricultural human. So, thank you.
I have followed a similar path in other technical subjects, and have authored a couple of books on those journeys. I look forward to reading yours.
Some people have brought up style and structure issues with your book.. try to take this in stride. Writing for publication is its own whole thing, and involves a lot more than just putting ideas to print. Creating text that conveys the spirit, personality, and information that you want it to is nontrivial, and it takes time and practice to master. It’s easy, as a reader, to feel the rough spots in a literary work… but that does not mean that the reader would do any better when confronted with writing a book level tome, so hear the critique but don’t overthink the critic.
Even though writing well was a side quest to my otherwise very technical focus, I found a joy in developing my literary voice… and I would encourage you to keep uncovering yours.
Don’t be bullied into writing “correctly”. If you want to ponder the senselessness of life you can read one of millions of “correctly” written papers that will have you wanting to end it all just so you don’t have to go on. In these informative but wasted pages you won’t find a shred of the author, and only find yourself bored by the subject that so enthralled them to spend a thousand hours or more writing about it. What a wasted opportunity. They became so focused on writing correctly that they lost their voice entirely. Their writing may inform, but it will rarely inspire.
In these little bits of your writing I have skimmed so far, there’s plenty of warts but I feel you in the work. Your passion is contagious, and I am encouraged to learn. Sure, work out the warts, but don’t be bullied into writing “correctly” by sticking to formality and convention.
Writing is about informing, inspiring, and guiding the frame of mind of the reader. Your work does that because your voice shines through. Sure, it could be easier to read, sometimes clearer, and you should work on that if you want to, but don’t sacrifice your voice in the process. The best written work has a definite personal opinion on how to write a voice, and it’s usually not the “correct” way.
Humans writing like humans is what makes writing worthwhile in the third industrial age. Frolic in your humanity and keep up the good work. Don’t let the well intentioned bastards keep you down, especially if they have a point.
bojta-lepenye 17 hours ago [-]
I have to admit, seeing some of the critiques about my grammar and style had me second-guessing myself a bit today, so reading your perspective honestly means a lot to me, especially coming from someone who has navigated publishing technical books themselves.
I definitely have plenty of room to grow and smooth out those "warts" as I continue writing, but I will take your advice to heart and make sure I don't lose my voice in the process. Thank you again for the incredible encouragement!
I still can't process the number of comments this post has. This is waaay more than I expected.
jezze 3 hours ago [-]
Yeah don't worry too much about it. You are still young, this is your first book. That is a great accomplishment.
Don't let the comments discourage you, use them, learn from them and your next undertaking will be even better. Be proud of what you did. It is unreasonable that your first attempt would be perfect.
mujib77 3 hours ago [-]
Great like accomplishing something like this at the age of 18 is truly remarkable
gabrielsroka 2 days ago [-]
Great job. The book is 427 pages.
Why not put the video on YouTube?
bradgranath 2 days ago [-]
Are you drunk? He’s lucky Google and Amazon haven’t noticed yet. If he wants to keep access to his accounts he should pull them down immediately and distribute via torrent.
isityettime 2 days ago [-]
Why? Don't they both sell other books on cracking and pentesting and whatever? There are tons of videos on YouTube about hashcat and aircrack-ng and rainbow tables and blah blah blah.
You think this stuff is some kind of secret or illicit knowledge?
The video is just less than half a minute of him flipping through some pages in the book anyway.
Tamklomo 2 days ago [-]
Because of a Hashcat tutorial book and video?
Even Claude will help you setup hashcat and co without complaining?
gettingoverit 2 days ago [-]
Nice to see someone going the same path as me!
Haven't read the book or used Hashcat, I have a question. Is there anything yet to generate rainbow tables out of password regex?
ViAchKoN 2 days ago [-]
Nice job!
It is a massive achievement to publish a book let alone to be start a career so early at age!
Now need to find time read the book. It seems it be quite interesting.
andai 2 days ago [-]
Congratulations! The book looks great.
I would love to hear more about the process of writing and preparing it for publishing. It's self-published? How did you do the typesetting and the diagrams?
bojta-lepenye 17 hours ago [-]
Thank you so much. Yes, the book is self-published. For the typesetting, I used https://reedsy.com/ . I made all of the diagrams in PowerPoint myself, and just inserted them as high-quality images.
TeaVMFan 2 days ago [-]
I too would be interested in hearing about the writing and formatting process. I described my own process as a software engineer and first-time novelist here:
https://frequal.com/forwriters/
sijmen 2 days ago [-]
Congratulate on finishing such a big project on a complicated topic, and putting in all this effort so that others can learn as well. I enjoyed reading the first few pages on Amazon
chadbennett 1 days ago [-]
I just bought the book and look forward to reading it. I also started in cyber at 14.
These are the kinds of real-world constraints where you actually learn how tools like Hashcat work under pressure.
You are going to do big things in the industry!
aqsa_sajjad 2 days ago [-]
This is a really impressive project, especially starting at 14. The point about there being no single comprehensive resource rings true, I've tried to learn about password security before and always ended up jumping between five different tabs just to understand one concept.
raphman 2 days ago [-]
There are actually a few recent books on the topic (no clue about their quality but reviews look positive):
The video url is down? This sounds super interesting!
nilirl 2 days ago [-]
I love the book cover! Great job, Bojta.
bojta-lepenye 17 hours ago [-]
Thank you. This really means a lot. My sister designed the book cover herself. You can check out some of her drawings here: https://www.instagram.com/angyalka_art/
She is really amazing!
amelius 2 days ago [-]
Ok, so what should we use instead of passwords?
analogpixel 2 days ago [-]
I use a blank password for everything, no one ever thinks of trying nothing.
airbreather 12 hours ago [-]
have you tried NULL?
analogpixel 11 hours ago [-]
alt-255 alt-255 alt-255
coolThingsFirst 2 days ago [-]
MFA authenticator app AND password is almost unbreakable. Unless the CIA wants to hack you, you'll be fine.
akimbostrawman 1 days ago [-]
Depends on for what.
online services/anything you can autofill with pw manager:
random generated password as long as possible + MFA like hardware token (UF2)
FDE device/pw manager/anything you can't autofill:
Passphrase containing at least 8 random words (Diceware) + if possible MFA like keyfile or hardware token
giuscri 2 days ago [-]
passkeys are the obvious answer, but not sure
2 days ago [-]
kelsey98765431 2 days ago [-]
can you discuss your coverage of password mask attacks, specifically is there any advances since EBM
Many early vaults had an insufficient number of rounds, and though the new account default was upgraded over time, the old vaults never were. So longer time customers were very exposed by this breach. Most impactfully by the incompetence they demonstrated by not upgrading vaults.
latchkey 2 days ago [-]
when i was running 150k amd gpus... i really wanted to use the cluster to run hashcat to help people recover lost things. i couldn't convince management that that was a profitable business to run.
dantillberg 2 days ago [-]
> help people recover lost things
You mean "lost things" in quotes. Management may have been more concerned about jail time.
Tamklomo 2 days ago [-]
Plenty of valid reasons to recover lost things and not just 'lost things'.
latchkey 2 days ago [-]
Yes that was what i was implying.
photonair 18 hours ago [-]
[flagged]
mdhemalakhand 22 hours ago [-]
[flagged]
Dinhhoanghm 1 days ago [-]
[dead]
immanuwell 1 days ago [-]
[dead]
saberience 2 days ago [-]
There’s a reason there are no books about this, because most people are not interested in cracking local/offline passwords.
In fact, the people most interested in password cracking are usually criminals.
But good luck with the book. It’s just not a hugely in demand topic.
Tamklomo 2 days ago [-]
The reason is, that using hashcat is not complicated for people who have linux experience and the amount of people wanting to crack a password is probably not that high.
Otherwise you do find plenty of people on YT walking you through hashcat. The first YT Video alone has 7 Million views: "how to HACK a password // password cracking with Kali Linux and HashCat"
I wish him luck, great drive to do this, i hope it works out well enough, books are just in general not easy to sell.
K0balt 20 hours ago [-]
Tons of people in it service occasionally would like to crack local passwords for clients. It’s a big world. That’s thousands of people needing to do this every month. More than enough to make a self published book worth publishing. I’ve sold a few books that even though they maybe only sell a few copies a month have made me more than 250k over the years. Slow returns, but it’s the gift that keeps on giving.
virtualritz 2 days ago [-]
When I lived in Adelaide, Australia 2006 or 2007, flexible-neck LED lamps that you plugged into an USB port to have light on your keyboard (backlit keyboards were not the norm on laptops) were a novelty item.
People simply didn't /know/ about them/that they existed at all.
I went to a computer/electronics shop in town and asked for them.
The guy told me: "We don't stock them because people don't ask for them."
papascrubs 2 days ago [-]
Uh, what?
I'd say that this is a bit relevant to the entire field of cyber security and a good chunk of development roles. If you're not concerned about how password hashing (which is a key component of understanding cracking) works as developer-- I'm not sure what to say. While not all of the in-depth research is probably needed. It's definitely relevant to many technical fields. I work in offensive security and we use tools like this daily in our industry. And no we are not cyber criminals.
This book is currently not really relevant for me, so I just skimmed the samples on Amazon. I found the technical content to be reasonably accurate and interesting although sometimes a little bit verbose (e.g., the section about 'what is a password') or slightly imprecise. In general, I think this book might have benefited from a thorough copyediting pass. There are quite a few grammar errors and unpolished sentences in the book, e.g.:
> The reason why Linux is imperative is that well, for one, most of the tools we will use, while indeed have builds for other systems, like Windows, in this book we will work with Linux.
Wishing you success and keep on writing!
Personally, I love abusing commas for comments and shitposting, but they should be avoided in informative resources like books, otherwise, it looks like a word salad. Say your thoughts and ideas with boldness and certainty.
But hey you write better than I did at 18, so I ain't judging. Just trying to provide helpful feedback for you (the op) to improve on.
> "Then there is also the fact that having a fully-fledged graphical desktop environment running in the background at all times is not quite optimal to say the least. 99 percent of the time when cracking passwords, you will be staring at a black terminal filled with white text, so using Windows, which is especially GUI-heavy, is usually impractical unless you are specifically testing something or showcasing some process."
I am reasonably sure that the Windows UI has rather little practical effect on hashcat's speed, and this thread implies the same: https://hashcat.net/forum/archive/index.php?thread-8958.html Also, 99 percent of the time when cracking passwords, I am not staring at a black terminal filled with white text.
(I am generally taking it a little bit personally when the author directly addresses me and tells me what I am probably thinking or doing.)
> "Behind a hash function are a series of complicated mathematical operations that make deriving the input from the output literally impossible."
I'd argue that the mathematical operations themselves are usually not that complicated. More importantly, the whole book seems to be about ways to derive the (probable) input of a hash function from the output. It is not literally impossible.
> "It is important to note, however, that hash functions are not truly random;"
As the author writes elsewhere, hash functions are deterministic and not random at all. Calling them not truly random seems to imply that they are somewhat random.
> "When encrypting a file or any kind of data with AES for example, the program leveraging AES will prompt you for a password. Yes, a password."
Yes, this is a book about password cracking, but there are lots of cases where programs use AES with a computer-generated key and won't prompt you for a password. E.g., TLS.
(Just to reiterate: I am not trying to diminish the author's work, I wanted to suggest ways for improvement. I might be wrong or overly pedantic.)
I think you're not being pedantic enough here. "Probable" is doing some heavy lifting. And the phrasing is "derive the input," which I think is fair to say. The best you can do with a proper hash is discover one or more possible inputs, but you're not deriving them from the output; the output is just used to check the result. The many-to-one nature of a hash precludes determining the exact input.
(It is obvious that one cannot directly derive the exact input - but one can derive potential inputs and then use other means to find the exact one.)
I think it's a canonical way to generalize the audience as in "99 percent of the time when cracking passwords, one will be staring at a black terminal filled with white text" just as in the German "man". So with that in mind maybe you no longer have a reason to be offended :)
As for it being imprecise, it doesn't talk about any specific software that has any compatibility issues. It dismisses the topic out of hand.
There being room for improvement is both acceptable and expected.
Too much AI slop, perfect grammar but no substance out there.
This seems like a substance filled book.
Congrats on shipping a book.
I've hopped through the book and it seems carefully laid out and organized. I may come back at you with questions once I've read further. Cheers.
I work in info sec - I've always been interested in password cracking and hashcat specifically, but have never had the time to devote to really dig into it. I'll check it out.
Well done!
Does anyone have a good cloud-hosted password cracker? I can't seem to brute force it, no matter how long I let John the ripper run.
I have followed a similar path in other technical subjects, and have authored a couple of books on those journeys. I look forward to reading yours.
Some people have brought up style and structure issues with your book.. try to take this in stride. Writing for publication is its own whole thing, and involves a lot more than just putting ideas to print. Creating text that conveys the spirit, personality, and information that you want it to is nontrivial, and it takes time and practice to master. It’s easy, as a reader, to feel the rough spots in a literary work… but that does not mean that the reader would do any better when confronted with writing a book level tome, so hear the critique but don’t overthink the critic.
Even though writing well was a side quest to my otherwise very technical focus, I found a joy in developing my literary voice… and I would encourage you to keep uncovering yours.
Don’t be bullied into writing “correctly”. If you want to ponder the senselessness of life you can read one of millions of “correctly” written papers that will have you wanting to end it all just so you don’t have to go on. In these informative but wasted pages you won’t find a shred of the author, and only find yourself bored by the subject that so enthralled them to spend a thousand hours or more writing about it. What a wasted opportunity. They became so focused on writing correctly that they lost their voice entirely. Their writing may inform, but it will rarely inspire.
In these little bits of your writing I have skimmed so far, there’s plenty of warts but I feel you in the work. Your passion is contagious, and I am encouraged to learn. Sure, work out the warts, but don’t be bullied into writing “correctly” by sticking to formality and convention.
Writing is about informing, inspiring, and guiding the frame of mind of the reader. Your work does that because your voice shines through. Sure, it could be easier to read, sometimes clearer, and you should work on that if you want to, but don’t sacrifice your voice in the process. The best written work has a definite personal opinion on how to write a voice, and it’s usually not the “correct” way.
Humans writing like humans is what makes writing worthwhile in the third industrial age. Frolic in your humanity and keep up the good work. Don’t let the well intentioned bastards keep you down, especially if they have a point.
I definitely have plenty of room to grow and smooth out those "warts" as I continue writing, but I will take your advice to heart and make sure I don't lose my voice in the process. Thank you again for the incredible encouragement!
I still can't process the number of comments this post has. This is waaay more than I expected.
Don't let the comments discourage you, use them, learn from them and your next undertaking will be even better. Be proud of what you did. It is unreasonable that your first attempt would be perfect.
Why not put the video on YouTube?
You think this stuff is some kind of secret or illicit knowledge?
The video is just less than half a minute of him flipping through some pages in the book anyway.
Even Claude will help you setup hashcat and co without complaining?
Haven't read the book or used Hashcat, I have a question. Is there anything yet to generate rainbow tables out of password regex?
I would love to hear more about the process of writing and preparing it for publishing. It's self-published? How did you do the typesetting and the diagrams?
These are the kinds of real-world constraints where you actually learn how tools like Hashcat work under pressure.
You are going to do big things in the industry!
Netmux (2019): Hash Crack: Password Cracking Manual¹
James Leyte-Vidal (2024): Ethical Password Cracking: decode passwords using John the Ripper, hashcat, and advanced methods for password breaking²
Daniel W. Dieterle (2024): Password Cracking with Kali Linux³
¹) https://www.amazon.com/gp/product/1793458618
²) https://www.amazon.com/Ethical-Password-Cracking-passwords-a...
³) https://www.oreilly.com/library/view/password-cracking-with/...
She is really amazing!
online services/anything you can autofill with pw manager:
random generated password as long as possible + MFA like hardware token (UF2)
FDE device/pw manager/anything you can't autofill:
Passphrase containing at least 8 random words (Diceware) + if possible MFA like keyfile or hardware token
probably a lot of ppl lost crypto this way.
Wikipedia states that there were some field unencrypted, sure, but not the critical data.
More people probably lost crypto by forgetting their passwords like a friend of mine. 10k gone
https://en.wikipedia.org/wiki/2022_LastPass_data_breach#Impa...
Many early vaults had an insufficient number of rounds, and though the new account default was upgraded over time, the old vaults never were. So longer time customers were very exposed by this breach. Most impactfully by the incompetence they demonstrated by not upgrading vaults.
You mean "lost things" in quotes. Management may have been more concerned about jail time.
In fact, the people most interested in password cracking are usually criminals.
But good luck with the book. It’s just not a hugely in demand topic.
Otherwise you do find plenty of people on YT walking you through hashcat. The first YT Video alone has 7 Million views: "how to HACK a password // password cracking with Kali Linux and HashCat"
I wish him luck, great drive to do this, i hope it works out well enough, books are just in general not easy to sell.
People simply didn't /know/ about them/that they existed at all.
I went to a computer/electronics shop in town and asked for them.
The guy told me: "We don't stock them because people don't ask for them."
I'd say that this is a bit relevant to the entire field of cyber security and a good chunk of development roles. If you're not concerned about how password hashing (which is a key component of understanding cracking) works as developer-- I'm not sure what to say. While not all of the in-depth research is probably needed. It's definitely relevant to many technical fields. I work in offensive security and we use tools like this daily in our industry. And no we are not cyber criminals.