3

I came across a site that had the password strength meter. I tried using 'password' and the meter did not like my password. Then I happened to try 'password' but I used the arabic translation for 'a' for the 'a' in 'password'.(can't post the letter) I noticed the meter said strong/best which is a bad password policy because its just a different letter/symbol. (FYI I was bug hunting)

This got me thinking about it actually being a good password policy because I realized not many bruteforcing include other language symbols/letters.

My question is: Would most bruteforce scripts/programs be able to guess my password?

Peter
  • 35
  • 3
  • Just a reminder for everyone - Password testing websites can be a good educational toy (if they're implemented well), but you shouldn't trust them with your real passwords for the same reason you shouldn't trust wallet inspectors. – Numeron Oct 18 '17 at 23:10

1 Answers1

2

Yes. In offline attacks, any password-cracking software that either treats inputs as raw bytes or can handle UTF8 natively can handle wordlists and some rules/appending using multibyte characters.

For pure bruteforce attacks, options are a little more limited, but it's still possible. My answer here describes how to use multibyte bruteforce with hashcat. That answer was a German-specific walkthrough of Rurapenthe's method. His post demonstrates an Arabic-specific approach.

Royce Williams
  • 9,128
  • 1
  • 31
  • 55