Optimizing Hashcat: Using Vowel and Non-Vowel Frequency Patterns to Crack Passwords Faster

In Cybersecurity, we crack passwords. It’s good practice not to save a password in a database as plaintext, instead it’s saved as a hash. Hashing transforms plain text into a unique string of characters. This adds an extra layer of security to protect the password in database breaches. For example, the word “password” using the MD5 algorithm is “5f4dcc3b5aa765d61d8327deb882cf99”. I use a tool for advanced password cracking called Hashcat.

There are a couple ways of cracking passwords, a dictionary attack is the most common. This is where a large word list of millions / billions of common words or known passwords are checked. Another method is brute forcing, which is trying every possible combination. The longer the password, the more time it takes to run a brute force attack. For instance, to check every possible character (lowercase, uppercase, digits, special symbols — 95 total characters) it would take 4 years, 148 days! This is why it’s important to have a long password, more so than complexity.

I had a realization that changed how I think about brute-force attacks. Since almost every word has vowels, it makes more sense to check each position by focusing on vowels and non-vowels based on their frequency, instead of blindly testing all possible characters. I gathered a wordlist of 400,000 words from the dictionary and analyzed them based on word lengths. For example, by categorizing letters as ’n’ for non-vowels and ‘v’ for vowels, I found that the most common pattern among all 8-letter words in the dictionary (57,967 in total) was [n][v][n][n][v][n][v][n], appearing in 8.47% of cases.

If I were to brute force all lower-case letters in an 8-letter word, 268 would total 208 B total combinations. If I were to use my method by using vowels and non-vowels positions based on popular patterns, it reduced it to 4 M total combinations (21⁵ + 5³) instead of (26⁸). Using a NVIDIA RTX 5080 it reduces the time from 1 hour, 12 minutes to 10 seconds! Granted you will not only run 1 pattern, you will want to run multiple patterns. However, this reduces the total time spent focusing on common word patterns.

Introducing a new vowel frequency pattern tool

I created https://www.vowelfreq.com for my own personal use but decided to make it public for others in Cybersecurity to use. I also made several custom charsets you can use https://www.vowelfreq.com/custom_charsets.

Based on my research, the vowel frequency in order from most frequent to least is eaoiu. The same for non-vowels, tnshrdlcmfwygpbvkqjxz. By using these charsets you are more likely to crack known / common words faster. You can also eliminate the last 5 or so characters, i.e. tnshrdlcmfwygpbv, to speed up your cracking session.

Another charset I created is the leetspeak charset for vowels, e3a4o0i1u. This checks if the password used known numbers to represent letters.

I also added my github repository link so that you can analyze your own data from a wordlist https://github.com/diGiCTF/vowelfreq.