Two days felt like a long time, so we found a cloud server with 16 cores we could use. We guessed on the threads and were able to run it at an average of 90% utilization (and it seems to use all the cores). The initial projection was 14 hours so it seemed better, but this morning it had moved on to the next iteration where it would try something like 85 trillion variations and was estimated at 55 days. It could find it five minutes later, or perhaps never, 55 days is a long time to wait. I had left mine running, though that included some time with the laptop in hibernate, here’s one status report:

I went back and did what I should have done to start with, a quick test with a password of “test” and that did indeed work fine, breaking it to clear text in about 25 seconds. Hashcat has a ton of options, but the command line syntax can be fussy and it’s definitely not easy to figure out which settings to use – some experimentation would see worthwhile. All documentation is online at the Hashcat Wiki. While reading that I saw a note about a GUI, just the thing for a beginner. After following the trail through a few links I wound up at http://www.hashkiller.co.uk/hashcat-gui.aspx. I downloaded and ran the exe, resulting in this:

It helps decipher the settings some and if you click on the “commands” tab you get the command line syntax to run it based on what you’ve set in the UI.

I suspect any hacker has a GPU, but without it I think my  only chance is to try to tweak the mode (“brute force”, “permutation”, etc) and something as simple as setting the limit of the length to something too small could cause it to miss, and that feels like more work than I want to do. I’m going to give it a try on a machine at home when I get time, set up an easy, medium, hard password and see how it goes.