0

I'm trying to generate a password list of 10 character passwords containing only a combination of 3 - 6 numbers and 3 - 6 uppercase letters.

I see option -d which allows a set limit of duplicates of individual characters but I'm looking for an option that applies this to an entire character type/set.

I don't want to generate 10 character combinations that have less than 3 numbers or uppercase letters or more than 6 numbers or uppercase letters.

For the sake of clarity:

Accepted: HAA6A51GQI 1JAK6195G1 8QLLLLA328

Unwanted: ALQBZFT2GA 1652B547B6 ASH6UEWVH6

Might this be possible in crunch or any other software?

Edward
  • 3
  • 2
  • Is `crunch` the only difference between this and your [other question](https://security.stackexchange.com/q/209693/151903)? As has already been pointed out, that's way too large of a password list to store. It will be many, many terabytes in size. – AndrolGenhald May 08 '19 at 19:17
  • 3
    Possible duplicate of [Generating passwords with rule: the contents within a 10 characters string must maintain a certain ratio of numbers and letters in no particular order](https://security.stackexchange.com/questions/209693/generating-passwords-with-rule-the-contents-within-a-10-characters-string-must) – AndrolGenhald May 08 '19 at 20:03
  • I'm not talking about storing the password list, just wanting to know I would go about creating such a password list – Edward May 08 '19 at 21:01
  • Try my script and then run: `awk '!seen[$0]++' passes.txt` to remove duplicates. – leaustinwile May 08 '19 at 21:02
  • 1
    @Edward Fair enough, but what purpose would this list have besides for cracking passwords? I just don't see how this is different from the other question. – AndrolGenhald May 08 '19 at 21:05

1 Answers1

1

I don't know how to do it in crunch, but I just wrote a python script for you that will do it.

from random import shuffle, randint
from sys import argv

charset = ['A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','8','9']

if __name__ == "__main__":
    if len(argv) < 2:
        print("Error: please use like this:\npython rand_pass.py <number_of_passwords>")
    else:
        num_pass = argv[1]
        passes = []
        counter = 0
        while counter < int(num_pass):
            num_chars = 0
            num_nums = 0
            passwd = ""
            i = 0
            while len(passwd) < 10:
                c = charset[randint(0,len(charset)-1)]
                if num_nums < 6 and c.isnumeric():
                    num_nums += 1
                    passwd += c
                elif num_chars < 6 and not c.isnumeric():
                    num_chars += 1
                    passwd += c
                i += 1
            passes.append(passwd)
            print(passwd)
            counter += 1

Usage: python file_name_gen_pass.py <number_of_pass_to_generate>

It will generate num_pass passwords randomly via a list shuffle and tracking the number of chars/nums. You can refine it probably to reduce false positives but it if you are just doing some baseline brute force testing this should be sufficient to prove your point to a stakeholder.

Edit: Wrote a C++ implementation for you to appease everyone :)

#include <iostream>
#include <vector>
#include <random>
#include <string>

const char charset[] = {'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','8','9'};
int main()
{

    std::cout << "Please enter the number of passwords to generate here: ";
    int num_pass;
    std::cin >> num_pass;
    std::random_device dev;
    std::mt19937_64 rng(dev());
    std::vector<std::string> passwds;
    std::uniform_int_distribution<std::mt19937_64::result_type> dist(0, sizeof(charset) - 1);

    for (int i = 0; i < num_pass; ++i) {
        std::string pass = "";
        int num_nums = 0, num_chars = 0;
        while (pass.length() < 10) {
            char c = charset[dist(rng)];
            if (isdigit(c) && num_nums < 6) {
                pass += c;
                num_nums++;
            }
            else if (isalpha(c) && num_chars < 6) {
                pass += c;
                num_chars++;
            }
        }
        passwds.push_back(pass);
        std::cout << pass << std::endl;
    }
    std::cin.get();
}

Just run it, enter the amount of passwords to generate and it'll fire off. It's pretty fast for small amounts. Just run it like so: gen_pass.exe > pass.txt

Then open that file and remove the first line and run this command: awk '!seen[$0]++' script.py

leaustinwile
  • 366
  • 1
  • 8
  • This doesn't allow for duplicate letters, which OP wants. It's also likely to be orders of magnitude slower than an efficient C implementation, which itself is much slower than mutating passwords on a GPU. – AndrolGenhald May 08 '19 at 20:03
  • Added support for duplicate characters. I know it's going to be slower than C, my point was to provide something to solve his problem in the interim, I don't intend for it to be fast. – leaustinwile May 08 '19 at 20:34
  • Generating passwords at random also means that as soon as a significant portion of the password space is covered, duplicates become extremely likely, and many orders of magnitude more passwords have to be generated to fully cover the password space. This simply isn't what the question is asking for. – AndrolGenhald May 08 '19 at 20:59
  • Well, it's better than your solution. :) – leaustinwile May 08 '19 at 21:00
  • Personally, I won't be appeased until you write a version in machine code :P – Cowthulhu Jun 07 '19 at 21:08
  • Lmao, seems that's how most mods here feel. Especially @schroeder, he really doesn't like me. – leaustinwile Jun 08 '19 at 05:29
  • @Cowthulhu I almost feel obliged to try just for the hell of it. – leaustinwile Jun 08 '19 at 05:30