December 11, 2015 By Douglas Bonderud 3 min read

Password recovery and cracking tool Hashcat has made the jump to open source, according to SC Magazine. Creator Jens “Atom” Steube said the move will help penetration testers and other security pros who like how the software works but can’t reveal the changes they need to make because of nondisclosure agreements (NDAs). Here’s a look at Hashcat’s new prowling grounds, and what the transition means for both IT pros and password security.

Password Recovery Isn’t Exactly Safe

Passwords are the gateway to a host of online data — everything from email accounts to financial information and even bitcoin balances. It’s no wonder, then, that attackers are willing to spend so much time and effort cracking user accounts. Of course, these cybercriminals prefer the easiest route possible, meaning there’s always a market for new and better password-hacking tools.

Consider Brainflayer, developed by security researcher Ryan Castellucci, which is designed to crack brain wallets associated with bitcoin balances. What’s a brain wallet? In theory, it’s a well-defended cryptovault locked by hashed passphrases that cybercriminals find exceedingly hard to guess. As Castellucci discovered, however, humans aren’t great at randomizing their passphrases, making it possible to create a tool that generates passcodes, hashes them and then tests them against the bitcoin blockchain.

As noted by Tom’s Guide, there’s also the work of two Spanish researchers who recently cracked password management tool LastPass, making it possible for users to lose not just one password, but every password they stored in one fell swoop.

Enter Hashcat. This is designed to help security pros recover passwords and prepare for potential cyberthreats. While the move to open source offers improved customization, does it also open the door for malicious actors?

Apocalypse Meow?

According to ZDNet, Hashcat creator Steube announced the move to open source on Dec. 4 via Twitter. And not surprisingly, it was done using an MD5 hash. Steube acknowledged that while open source had been on the radar for both Hashcat and oclHashat, it required the creation of an open interface with a generic hashtag, which permitted easy modification for researchers and their unique code strains.

The GitHub community was understandably excited since the tools support CPU and GPU cracks, and an MIT license will allow Hashcat integration with many Linux distributions; a Kali Linux package is also being developed. While there’s no way to get the password recovery tool directly onto Apple systems, going open source lets developers compile kernels using Apple protocols and effectively jump the barrier. Eventually, Steube plans to merge the two projects into a single Hashcat.

The value of Hashcat as open source is a matter of perspective. From the view of researchers and security pros, the ability to manipulate the tool as needed without having to give up sensitive data means better penetration testing and a better chance of warding off future cyberthreats. For those focused on the already-insecure nature of passwords, this move adds yet another extremely popular password cracker to the toolbox of motivated attackers.

In Steube’s view, the danger is minimal since, as SC Magazine quoted, “there’s no hidden or secret stuff that could help their attacks. Everything that you’ll find in the source is already known and used by other projects that do exactly the same as Hashcat does.”

Simply put, bad guys already have access to everything Hashcat does, so this isn’t exactly a world-ending open-source distribution. Just like the public release of exploits and vulnerabilities, however, there’s an underside here: What criminals know can hurt IT security.

The Hashcat password recovery tool is now open source. By and large, expect the move to improve back-end security. But as with any tool of this type, good guys aren’t the only ones with access. What’s good for long-term security pain may offer short-term cybercriminal gain.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today