Home > Products > Windows Passwords > Windows Password Recovery > Screenshots > Attacking hashes > GPU dictionary attack
GPU dictionary attack
Happy New Year!
New Year greetings and holidays discount
Windows Password Recovery v11.1
Some minor improvements, changes in DPAPI engine
New blog post
Hash encryption in Windows 10 Anniversary Update
WPA password recovery benchmarks
New devices

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Windows Password Recovery - GPU dictionary attack

Oftentimes, when creating passwords, users add certain characters in the beginning, end or even middle of the word. To recover passwords of this specific kind, we have come up with a GPU-based dictionary attack, which is something between simple dictionary attack and brute force attack.

This attack works as follows: 

  • Reads the first word from the dictionary.
  • According to the defined character set and the minimum/maximum length of the search range, generates all the possible variants.
  • Those variants (characters) are then added to the beginning, end or middle of the word. The position within the word, where the generated sequences are to be inserted, can be specified at your discretion.
  • Then goes next dictionary word, etc.

For example, if we specify a search character range between 0 and 9, and the range length between 1 and 2, the program will generate 100 combinations: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 .. 99. Then these sequences will be added to the beginning, middle or end of the word. Thus, for the word test, if the sequences are going to be inserted to every listed position, the program will check the following passwords:
0test, 1test .. 99test
t0est, t1est .. t99est
te0st, te1st .. te99st
tes0t, tes1t .. tes99t
test0, test1 .. test99
Total - 100*5=500 variants.

Let's take a closer look at the attack settings.


On the Dictionaries tab, you can specify the list of dictionaries to be used in the attack. The program supports text wordlists in the following formats: ASCII, UNICODE, UTF8, RAR, ZIP, as well as encrypted/packed dictionaries in the native PCD format, developed by our company. To deactivate a dictionary, simply clear the check box by its name. Thus, although the dictionary remains on the list, it will be ignored by the attack. The software comes with the default 400000-word dictionary. You can order the full set of dictionaries, that’s over 7.5 GB in size, on CD or take advantage of our dictionaries available online.

GPU dictionary attack

Search range

On this tab, you should set up the range of characters to be inserted into base words, its minimum and maximum length. When setting up a range, you can use the existing templates or, having checked the respective check box, define your own one. When selecting the maximum range length, keep in mind that specifying a too wide or too small value is inadvisable. While in the first case the password search speed may drop down to 0, specifying a too narrow range of characters to be searched raises the overheads related to the irrational use of the computing power of the GPU.

In the second group of options, specify the position in the word, where the characters of the searched range would be inserted.

And, finally, the third group of settings - these are in charge of preprocessing the words from the source dictionary. Selecting the As is option makes the program use the source word as is, not converting to upper or lowercase. The number of passwords to be searched grows in direct proportion to the number of options specified in this group. On the other hand, the program is smart enough to not use repeat words. For example, the word 12345678, even if all the conversion options are set, will be used only once.

Brute-force range for GPU dictionary attack

The number of passwords to be searched for a single word can be calculated using the following formula:

passwords = R * L * K
R - character range, calculated using the formula: R = charset_length ^ max_length - charset_length ^ (min_length-1) +1
L - positions in word. Calculated as follows: if the insertion is made in the middle of the word, L = password_length - 1; then add plus one if the insertion is made to the beginning and end of the word.
K - number of options specified in the group 'Input word utilization'.

For example, if the source word we have is window, and the options are specified as shown on the image above, i.e. character range a..z,A..Z,0..9,symbol14,space, insertion to all positions, conversion to lowercase and capitalizing (first letter in uppercase). Let's calculate how many password we are going to check for this word:
charset_length = 26+26+10+14+1 = 77
R = 77^4 - 77^0 + 1 = 35153041
L = (6-1) + 1 + 1 = 7
K = 2
passwords = 35153041 * 7 * 2 = 492 142 574

Online dictionaries

On the third tab, you can download source wordlists for the attack. The program uses internal wordlist (400000+ words) by default.

Online wordlists

GPU settings

Before you can use a GPU in the attack, you must first select it in the respective item of the main menu.

GPU settings

GPU configuration is pretty simple and consists of only two settings:

  1. The number of parallel graphics card’s blocks, where passwords would be searched. Typically, each block consists of 256 threads. Thus, if you set the number of blocks to 256, the GPU will run 256*256=65536 threads. The total number of checked passwords for one call to GPU kernel will be 256*ThreadBlocks*PasswordsPerThread. In our case 256*256*1000 = 65 536 000 passwords. Setting the ThreadBlocks smaller than 256 on modern graphics cards, in the majority of cases, leads to performance degradation.

  2. The number of passwords to be search from a single thread. The greater the value, the lower the overhead associated with launching threads, and the higher the search speed. However, setting too great a value may hang the computer or cause significant fluctuations in the current search speed, displayed on the attack status tab. This is caused by the fact that task completion time on the GPU exceeds the time required for refreshing the current state of the attack.

Depending on the options you have specified, a proper choice of GPU settings can drastically, often by several times, increase the password search speed. Every time you change option of the first two tabs, we recommend playing around with GPU settings to achieve the maximum utilization.