Path
Keys & Passwords
Learn safe brute-force strategy, wordlists, hash identification & salting, common MFA pitfalls, and rock-solid credential hygiene. Everything here runs in safe sandboxes for education only.
What you’ll cover
- Brute-force vs. smart guessing, rate-limits, lockouts
- Building/curating wordlists (rules, mangling, masks)
- Hash basics: identifying types, salting, KDFs
- MFA pitfalls: push fatigue, OTP reuse, insecure fallbacks
- Credential hygiene & policy design
Practice responsibly
All activities are restricted to local demos or provided practice targets. Never test accounts or systems you don’t own or have permission to evaluate.
Try the Password Meter and Phish Detector along the way.
Hands-on Labs
Wordlist Workshop Easy
Generate and evaluate small wordlists; compare hit-rates vs. length/variety.
Hash ID & Salting Medium
Identify hash formats, spot salts, and test slow KDFs in a demo.
MFA Pitfalls Clinic Medium
Simulate push fatigue, insecure SMS fallback, and session re-use.
Credential Hygiene Drill Hard
Design & enforce policies: unique passphrases, rotation exceptions, and breach response.
Cheat-sheets
Smart Guessing
- Prefer targeted rules (names, dates, leetspeak) over blind brute-force.
- Use masks for formats (e.g.,
?u?l?l?l?l?d?d). - Respect rate limits & lockouts; never attack live services.
Wordlists
- Start small + high-probability; expand iteratively.
- Apply mangling rules: case flips, suffixes, separators.
- Deduplicate and sort by likelihood to save time.
Hash Basics
- Identify: MD5/SHA-1/2, bcrypt, scrypt, Argon2, PBKDF2.
- Salt everything; prefer slow KDFs (bcrypt/Argon2id).
- Store:
$id$params$salt$hashstyle formats are common.
MFA Pitfalls
- Push fatigue → add rate-limit & number-matching.
- SMS fallback → offer app/FIDO first; geo & risk checks.
- Session hardening → short tokens, binding, re-auth for critical actions.
Credential Hygiene
- Unique passphrases; manager-based storage.
- 12+ chars; prefer passphrases; avoid reuse.
- Monitor breaches; rotate only when exposed.