On Tue, Nov 12, 2013 at 6:08 PM, brian carroll wrote:

... yet what if the passwords 'length' were not the issue, such that a 20 character string (of several number.words with several intermixed special characters) could still be successfully attacked, given those limited parameters.

this summer oclHashCat-plus got an upgrade (experimental) for support to 64 characters of search space (55 or more depending on algo). obviously this length implies a more intelligent / direct search through the key space, which, if limited to a much smaller character set, becomes practically attack-able... in fact, optimizing the path of a dict cruncher like oclHashCat or Hashkill for best performance against a particular target set is an enjoyable art unto itself ;)