Password recovery and cracking tool Hashcat has made the jump to open source, according to SC Magazine. Creator Jens “Atom” Steube said the move will help penetration testers and other security pros who like how the software works but can’t reveal the changes they need to make because of nondisclosure agreements (NDAs). Here’s a look at Hashcat’s new prowling grounds, and what the transition means for both IT pros and password security.
Password Recovery Isn’t Exactly Safe
Passwords are the gateway to a host of online data — everything from email accounts to financial information and even bitcoin balances. It’s no wonder, then, that attackers are willing to spend so much time and effort cracking user accounts. Of course, these cybercriminals prefer the easiest route possible, meaning there’s always a market for new and better password-hacking tools.
Consider Brainflayer, developed by security researcher Ryan Castellucci, which is designed to crack brain wallets associated with bitcoin balances. What’s a brain wallet? In theory, it’s a well-defended cryptovault locked by hashed passphrases that cybercriminals find exceedingly hard to guess. As Castellucci discovered, however, humans aren’t great at randomizing their passphrases, making it possible to create a tool that generates passcodes, hashes them and then tests them against the bitcoin blockchain.
As noted by Tom’s Guide, there’s also the work of two Spanish researchers who recently cracked password management tool LastPass, making it possible for users to lose not just one password, but every password they stored in one fell swoop.
Enter Hashcat. This is designed to help security pros recover passwords and prepare for potential cyberthreats. While the move to open source offers improved customization, does it also open the door for malicious actors?
According to ZDNet, Hashcat creator Steube announced the move to open source on Dec. 4 via Twitter. And not surprisingly, it was done using an MD5 hash. Steube acknowledged that while open source had been on the radar for both Hashcat and oclHashat, it required the creation of an open interface with a generic hashtag, which permitted easy modification for researchers and their unique code strains.
The GitHub community was understandably excited since the tools support CPU and GPU cracks, and an MIT license will allow Hashcat integration with many Linux distributions; a Kali Linux package is also being developed. While there’s no way to get the password recovery tool directly onto Apple systems, going open source lets developers compile kernels using Apple protocols and effectively jump the barrier. Eventually, Steube plans to merge the two projects into a single Hashcat.
The value of Hashcat as open source is a matter of perspective. From the view of researchers and security pros, the ability to manipulate the tool as needed without having to give up sensitive data means better penetration testing and a better chance of warding off future cyberthreats. For those focused on the already-insecure nature of passwords, this move adds yet another extremely popular password cracker to the toolbox of motivated attackers.
In Steube’s view, the danger is minimal since, as SC Magazine quoted, “there’s no hidden or secret stuff that could help their attacks. Everything that you’ll find in the source is already known and used by other projects that do exactly the same as Hashcat does.”
Simply put, bad guys already have access to everything Hashcat does, so this isn’t exactly a world-ending open-source distribution. Just like the public release of exploits and vulnerabilities, however, there’s an underside here: What criminals know can hurt IT security.
The Hashcat password recovery tool is now open source. By and large, expect the move to improve back-end security. But as with any tool of this type, good guys aren’t the only ones with access. What’s good for long-term security pain may offer short-term cybercriminal gain.