Royce W.

Royce W.


Professional Password Auditing

As an experienced password cracker, I provide efficient, in-depth, and securely managed password audits. My reports are clear, detailed and actionable - showing you exactly what a motivated attacker can do, and what you can do to counter them. My ideal customers include: * Teams who need to provide a compensating control for SOX, PCI, and similar frameworks * Teams who want to test how well their password policies stand up against a real-world adversary (instead of a "run hashcat and walk away" audit) * Red teams and pen-testing teams who want to "up their game" and get more cracks faster per campaign Methodology: I will use your existing secure file-transfer system to receive your hashes (or I will provide one). Your hashes will be temporarily stored in a dedicated encrypted LUKS volume, which is either destroyed immediately after the engagement, or retained offline for up to 30 days at your request at no additional charge. At your preference, I will either analyze the discovered plaintext passwords for the report, or suppress recording plaintexts entirely and only report which users' passwords were discoverable. Fees: I charge only for my interactive password cracking time - not wall-clock time. There is also a nominal pro-rated fee to reserve hardware capacity. Reporting: The report will include statistics, observations, and specific advice to move your organization's password game forward, based on the psychology of your specific recovered passwords (unless you requested that they be suppressed). Please let me know in advance if you have specific reporting goals. Tools: Tools used include hashcat, PRINCE, MDXfind, John the Ripper, PACK, and custom scripting. Hash safety: Do not send unsolicited hashes. Do not send hashes until work terms are finalized. Do not use Upwork's messaging system (which is immutable!) to send hashes, unless you are authorized to accept the risk of Upwork having your hashes forever. Restrictions: Results vary based on hash type, list size, depth of analysis, complexity requirements, generation methodology, and turnaround time. Specialized targets are negotiable, but individual targets cannot be guaranteed. Randomly generated passwords of non-trivial length are out of scope, because math. Offline attacks on verified authorized hashes only. I do not perform online password auditing, especially not for third party platforms (Facebook, Instagram, Gmail, Twitter, etc.). Verifiability of your identity, and proof that you are authorized to crack the hashes, is required. bcrypt hashes are a specialty, but due to their slow nature, results may be limited. I enjoy my work - and will bring my best game to you.
No items


  • FreeBSD
  • DNS
  • Marketing Audit
  • Email Security
  • Penetration Testing


Endorsements from past clients

"I’ve relied on Royce’s expertise in password cracking for a number of years. He does amazing work and has been a huge asset for our organization. His attention to detail and security focus is top notch. "

Scott S. | Cybersecurity Consultant
Password Audit (Corporate NTLM)
Apr 2020