December 11, 2015 By Douglas Bonderud 3 min read

Password recovery and cracking tool Hashcat has made the jump to open source, according to SC Magazine. Creator Jens “Atom” Steube said the move will help penetration testers and other security pros who like how the software works but can’t reveal the changes they need to make because of nondisclosure agreements (NDAs). Here’s a look at Hashcat’s new prowling grounds, and what the transition means for both IT pros and password security.

Password Recovery Isn’t Exactly Safe

Passwords are the gateway to a host of online data — everything from email accounts to financial information and even bitcoin balances. It’s no wonder, then, that attackers are willing to spend so much time and effort cracking user accounts. Of course, these cybercriminals prefer the easiest route possible, meaning there’s always a market for new and better password-hacking tools.

Consider Brainflayer, developed by security researcher Ryan Castellucci, which is designed to crack brain wallets associated with bitcoin balances. What’s a brain wallet? In theory, it’s a well-defended cryptovault locked by hashed passphrases that cybercriminals find exceedingly hard to guess. As Castellucci discovered, however, humans aren’t great at randomizing their passphrases, making it possible to create a tool that generates passcodes, hashes them and then tests them against the bitcoin blockchain.

As noted by Tom’s Guide, there’s also the work of two Spanish researchers who recently cracked password management tool LastPass, making it possible for users to lose not just one password, but every password they stored in one fell swoop.

Enter Hashcat. This is designed to help security pros recover passwords and prepare for potential cyberthreats. While the move to open source offers improved customization, does it also open the door for malicious actors?

Apocalypse Meow?

According to ZDNet, Hashcat creator Steube announced the move to open source on Dec. 4 via Twitter. And not surprisingly, it was done using an MD5 hash. Steube acknowledged that while open source had been on the radar for both Hashcat and oclHashat, it required the creation of an open interface with a generic hashtag, which permitted easy modification for researchers and their unique code strains.

The GitHub community was understandably excited since the tools support CPU and GPU cracks, and an MIT license will allow Hashcat integration with many Linux distributions; a Kali Linux package is also being developed. While there’s no way to get the password recovery tool directly onto Apple systems, going open source lets developers compile kernels using Apple protocols and effectively jump the barrier. Eventually, Steube plans to merge the two projects into a single Hashcat.

The value of Hashcat as open source is a matter of perspective. From the view of researchers and security pros, the ability to manipulate the tool as needed without having to give up sensitive data means better penetration testing and a better chance of warding off future cyberthreats. For those focused on the already-insecure nature of passwords, this move adds yet another extremely popular password cracker to the toolbox of motivated attackers.

In Steube’s view, the danger is minimal since, as SC Magazine quoted, “there’s no hidden or secret stuff that could help their attacks. Everything that you’ll find in the source is already known and used by other projects that do exactly the same as Hashcat does.”

Simply put, bad guys already have access to everything Hashcat does, so this isn’t exactly a world-ending open-source distribution. Just like the public release of exploits and vulnerabilities, however, there’s an underside here: What criminals know can hurt IT security.

The Hashcat password recovery tool is now open source. By and large, expect the move to improve back-end security. But as with any tool of this type, good guys aren’t the only ones with access. What’s good for long-term security pain may offer short-term cybercriminal gain.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today