What password cracking software is commonly used?

Question

I am curious to know how secure my passwords are.

What password cracking software is commonly used? Preferably open source.

EDIT: I am actually looking to crack my passwords used on services I don't own.
Obviously, this means that I don't want to actually attack the service..

Is there any piece of software that would allow me to give it a password, and it will attempt to go through the process of breaking it?

Umm... what exactly do you mean, "give it a password and... process of breaking it"? If you already have the password, what exactly are you trying to break? — AviD, Aug 14 '11 at 12:02
When you say you want to know how secure your passwords are, but then say i don't own the service, what exactly do you mean? If you plan on testing how secure your password by brute forcing some service such as Hotmail, you will get into trouble. — phone on the floor, Aug 15 '11 at 12:19
"Obviously, this means that I don't want to actually attack the service..", I don't understand why this is so hard to understand. The ideal situation would be a piece of software that takes a password, hashes it, and then follows standard algorithms to try to break it. — user606723, Aug 15 '11 at 14:13
What type of service is it, FTP, telnet? Hydra is the best choice for this, see its documentation for a full list of services it can brute force. — phone on the floor, Aug 15 '11 at 15:16
What? the service is not important. I want a service independent method. perhaps it could be called an attack simulation. Hrmmmmm. — user606723, Aug 15 '11 at 15:26

score 8 · Answer 1 · answered Aug 11 '11 at 15:24

8

John the Ripper is the traditional, free, open-source password cracker (there is also a closed-source commercial "pro" version). It has been widely used for (much) more than the last 10 years.

answered Aug 11 '11 at 15:24

Thomas Pornin

322,884
58
787
955

score 6 · Answer 2 · edited Aug 11 '11 at 15:52

6

This really depends on what you are using your password for i.e. windows login or ftp etc. Hydra is excellent for testing services such as telnet and ftp but I don't think it works if you actually have the hash.

Cain and Able for windows.
John the ripper for linux.
Hydra for services (FTP, etc).
Elemsoft also have a number of password cracking products that can utilize GPU's for faster cracking.

Download a copy of Backtrack 5 and look under the password cracking section to see a list.

Edit: also note that if your using a single word such as "password" or "Password1" it is extremely easy to crack. A passphrase is recommended such as "The girl next to me is stunning, bet she wont crack this password :D"

edited Aug 11 '11 at 15:52

M'vy

13,053
3
48
69

answered Aug 11 '11 at 15:31

phone on the floor

89
1

did you mean ElcomSoft? Also, THC-Hydra++ – Ormis Aug 11 '11 at 17:58
btw... [cain & abel](http://www.oxid.it/cain.html) is the name of the tool (it is a very able password cracker though =) – Nate Koppenhaver Aug 15 '11 at 04:18

score 6 · Answer 3 · edited Mar 17 '17 at 13:14

A few suggestions

Cain and Abel runs on Windows and can perform dictionary attacks, brute force and cryptanalysis attacks.
John the Ripper runs on Linux, Windows and many others. Can perform dictionary and brute force attacks.
Ophcrack runs off live CD and uses rainbow tables to crack Windows passwords.
RainbowCrack runs on Windows and Linux. Using rainbow tables to crack the passwords.

score 3 · Answer 4 · answered Aug 11 '11 at 18:48

3

For services brute-forcing (not hash brute-forcing), hydra, medusa and ncrack do the trick for me. All open-source linux applications.

answered Aug 11 '11 at 18:48

john

10,998
1
36
43

score 2 · Answer 5 · answered Aug 11 '11 at 19:59

Hashcat is a newer program, but quite useful. They got versions for CPU only that are natively multi-threaded which makes it a lot easier to get going than cutting things up into pieces with JtR and then running multiple instances on each core.
If you got any remotely modern Nvidia or ATI video cards, then you want to use oclHashcat, which has support for a lot of formats and mangling rules, but doesn't work with multiple directories. oclHashcat-plus doesn't support too many rules/hash types, but it's extremely efficient if you want to throw large and/or large numbers of dictionaries at your hashes. Then the newest one is oclHashcat-lite, which is optimized for cracking only one hash at a time, but being very fast about it. I wish they just fused it into a one program with lots of options.

The problem is that all these programs have different support for rules, range of hash types they can crack, etc. The inputs have to very well trimmed (having a single extra whitespace at the end of a hash will make it refuse service due to 'incorrect hash'), unlike JtR which will find a hash in just about any garbage file. So it's kinda early code, it's kinda clunky to use, you gotta do a lot of regex filtering to get it what it wants (and it doesn't tell you what it wants!) but when it works, it's brilliant.

What password cracking software is commonly used?

5 Answers5