Password recovery and cracking tool Hashcat has made the jump to open source, according to SC Magazine. Creator Jens “Atom” Steube said the move will help penetration testers and other security pros who like how the software works but can’t reveal the changes they need to make because of nondisclosure agreements (NDAs). Here’s a look at Hashcat’s new prowling grounds, and what the transition means for both IT pros and password security.

Password Recovery Isn’t Exactly Safe

Passwords are the gateway to a host of online data — everything from email accounts to financial information and even bitcoin balances. It’s no wonder, then, that attackers are willing to spend so much time and effort cracking user accounts. Of course, these cybercriminals prefer the easiest route possible, meaning there’s always a market for new and better password-hacking tools.

Consider Brainflayer, developed by security researcher Ryan Castellucci, which is designed to crack brain wallets associated with bitcoin balances. What’s a brain wallet? In theory, it’s a well-defended cryptovault locked by hashed passphrases that cybercriminals find exceedingly hard to guess. As Castellucci discovered, however, humans aren’t great at randomizing their passphrases, making it possible to create a tool that generates passcodes, hashes them and then tests them against the bitcoin blockchain.

As noted by Tom’s Guide, there’s also the work of two Spanish researchers who recently cracked password management tool LastPass, making it possible for users to lose not just one password, but every password they stored in one fell swoop.

Enter Hashcat. This is designed to help security pros recover passwords and prepare for potential cyberthreats. While the move to open source offers improved customization, does it also open the door for malicious actors?

Apocalypse Meow?

According to ZDNet, Hashcat creator Steube announced the move to open source on Dec. 4 via Twitter. And not surprisingly, it was done using an MD5 hash. Steube acknowledged that while open source had been on the radar for both Hashcat and oclHashat, it required the creation of an open interface with a generic hashtag, which permitted easy modification for researchers and their unique code strains.

The GitHub community was understandably excited since the tools support CPU and GPU cracks, and an MIT license will allow Hashcat integration with many Linux distributions; a Kali Linux package is also being developed. While there’s no way to get the password recovery tool directly onto Apple systems, going open source lets developers compile kernels using Apple protocols and effectively jump the barrier. Eventually, Steube plans to merge the two projects into a single Hashcat.

The value of Hashcat as open source is a matter of perspective. From the view of researchers and security pros, the ability to manipulate the tool as needed without having to give up sensitive data means better penetration testing and a better chance of warding off future cyberthreats. For those focused on the already-insecure nature of passwords, this move adds yet another extremely popular password cracker to the toolbox of motivated attackers.

In Steube’s view, the danger is minimal since, as SC Magazine quoted, “there’s no hidden or secret stuff that could help their attacks. Everything that you’ll find in the source is already known and used by other projects that do exactly the same as Hashcat does.”

Simply put, bad guys already have access to everything Hashcat does, so this isn’t exactly a world-ending open-source distribution. Just like the public release of exploits and vulnerabilities, however, there’s an underside here: What criminals know can hurt IT security.

The Hashcat password recovery tool is now open source. By and large, expect the move to improve back-end security. But as with any tool of this type, good guys aren’t the only ones with access. What’s good for long-term security pain may offer short-term cybercriminal gain.

More from

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

OneNote, Many Problems? The New Phishing Framework

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes.Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued.While this novel notes approach will eventually be phased out as phishing defenses catch up, current conditions…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

LastPass Breaches Cast Doubt on Password Manager Safety

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers.A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords for…