John the Ripper rules!

And I mean that both as a verb and as a noun. For those who don't know, John the Ripper is a password cracking program. It supports various formats natively and the community-enhanced version brings it to an insane level.

It can run attacks based on the login name itself, a wordlist and variations (called "rules") and, last resort, a brute force.

Here are a few rules I usually add:

# Try with 2 prefixing digits
l ^[0-9]^[0-9]
# Try prefixing with possessives
l A0"My"
l A0"Your"
l A0"His"
l A0"Her"
l A0"Our"
l A0"Their"
# Try with 1, 2, 3 and 4 digits at the end, and the same with punctuation
l $[0-9]
l $[0-9]$[0-9]
l $[0-9]$[0-9]$[0-9]
l $[0-9]$[0-9]$[0-9]$[0-9]
l $[0-9]$[(){},?;.:/=+<>%$*-_]
l $[0-9]$[0-9]$[(){},?;.:/=+<>%$*-_]
l $[0-9]$[0-9]$[0-9]$[(){},?;.:/=+<>%$*-_]
l $[0-9]$[0-9]$[0-9]$[0-9]$[(){},?;.:/=+<>%$*-_]
# Try with 1 or 2 digits and 2 punctuations symbols
l $[0-9]$[(){},?;.:/=+<>%$*-_]$[(){},?;.:/=+<>%$*-_]
l $[0-9]$[0-9]$[(){},?;.:/=+<>%$*-_]$[(){},?;.:/=+<>%$*-_]

If you have your own killer rules, feel free to drop the URL in the comment section.