December 11, 2015 By Douglas Bonderud 3 min read

Password recovery and cracking tool Hashcat has made the jump to open source, according to SC Magazine. Creator Jens “Atom” Steube said the move will help penetration testers and other security pros who like how the software works but can’t reveal the changes they need to make because of nondisclosure agreements (NDAs). Here’s a look at Hashcat’s new prowling grounds, and what the transition means for both IT pros and password security.

Password Recovery Isn’t Exactly Safe

Passwords are the gateway to a host of online data — everything from email accounts to financial information and even bitcoin balances. It’s no wonder, then, that attackers are willing to spend so much time and effort cracking user accounts. Of course, these cybercriminals prefer the easiest route possible, meaning there’s always a market for new and better password-hacking tools.

Consider Brainflayer, developed by security researcher Ryan Castellucci, which is designed to crack brain wallets associated with bitcoin balances. What’s a brain wallet? In theory, it’s a well-defended cryptovault locked by hashed passphrases that cybercriminals find exceedingly hard to guess. As Castellucci discovered, however, humans aren’t great at randomizing their passphrases, making it possible to create a tool that generates passcodes, hashes them and then tests them against the bitcoin blockchain.

As noted by Tom’s Guide, there’s also the work of two Spanish researchers who recently cracked password management tool LastPass, making it possible for users to lose not just one password, but every password they stored in one fell swoop.

Enter Hashcat. This is designed to help security pros recover passwords and prepare for potential cyberthreats. While the move to open source offers improved customization, does it also open the door for malicious actors?

Apocalypse Meow?

According to ZDNet, Hashcat creator Steube announced the move to open source on Dec. 4 via Twitter. And not surprisingly, it was done using an MD5 hash. Steube acknowledged that while open source had been on the radar for both Hashcat and oclHashat, it required the creation of an open interface with a generic hashtag, which permitted easy modification for researchers and their unique code strains.

The GitHub community was understandably excited since the tools support CPU and GPU cracks, and an MIT license will allow Hashcat integration with many Linux distributions; a Kali Linux package is also being developed. While there’s no way to get the password recovery tool directly onto Apple systems, going open source lets developers compile kernels using Apple protocols and effectively jump the barrier. Eventually, Steube plans to merge the two projects into a single Hashcat.

The value of Hashcat as open source is a matter of perspective. From the view of researchers and security pros, the ability to manipulate the tool as needed without having to give up sensitive data means better penetration testing and a better chance of warding off future cyberthreats. For those focused on the already-insecure nature of passwords, this move adds yet another extremely popular password cracker to the toolbox of motivated attackers.

In Steube’s view, the danger is minimal since, as SC Magazine quoted, “there’s no hidden or secret stuff that could help their attacks. Everything that you’ll find in the source is already known and used by other projects that do exactly the same as Hashcat does.”

Simply put, bad guys already have access to everything Hashcat does, so this isn’t exactly a world-ending open-source distribution. Just like the public release of exploits and vulnerabilities, however, there’s an underside here: What criminals know can hurt IT security.

The Hashcat password recovery tool is now open source. By and large, expect the move to improve back-end security. But as with any tool of this type, good guys aren’t the only ones with access. What’s good for long-term security pain may offer short-term cybercriminal gain.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today