Connect with us

Hi, what are you looking for?


Data Protection

Password Cracking Tool Hashcat Goes Open Source

Hashcat, the popular password recovery utility advertised as the world’s fastest password cracker, has been released as open source.

Hashcat, the popular password recovery utility advertised as the world’s fastest password cracker, has been released as open source.

The announcement was first made on December 4 on Twitter via an MD5 hash that read “hashcat open source” when cracked. Jens ‘atom’ Steube, the main Hashcat developer, later announced in a post on the official forum that the source code for both Hashcat, the CPU-based tool, and oclHashcat, the GPU-based version, has been released under the MIT license.Hashcat source code released

Steube, who is a big fan of open source software, explained that he had been thinking of taking this step for a long time.

One of the reasons for making Hashcat and oclHashcat open source is to allow penetration testers and forensic scientists to add and modify algorithms without exposing any potentially sensitive information. Now that the tools are open source, users will also be able to easily integrate external libraries.

Up until now, oclHashcat supported OpenCL (AMD) and CUDA (Nvidia) graphics processors on Linux and Windows, but OS X was not supported because Apple does not allow “offline” compiling of kernel code. Now that the project is open source, users will be able to compile the GPU kernels and use oclHashcat on OS X.

The fact that the password cracking tools have been released as open source under the MIT license will also enable their integration into popular Linux distributions. Steube says he has planned to generate packages for Kali Linux, which is very popular among pentesters.

Kaspersky Lab, whose experts were assisted by Steube in cracking hashes related to the Gauss malware and the Equation group, published a blog post on Monday explaining the benefits of password cracking tools going open source.

“One of the main [password cracking tool] user-groups are penetration-testers. Their job is to evaluate the security in given areas including evaluation of password security. Also forensic-examiners use these tools in order to gain access to required evidence. These cases and tasks are often highly sensitive and apply to strict rules,” explained Kaspersky’s Marco Preuss. “OpenSource offers the possibility of developing customized extensions without leaking any potential sensitive information to external developers of such tools. This applies if different hash-algorithms are required to be audited while pentesting or specific requirements are set in forensic cases e.g. criminal evidence collection for an upcoming lawsuit.”

Advertisement. Scroll to continue reading.

Steube has pointed out that the open source release of Hashcat does not mean that he is leaving the project. “No way I’d do that! I’ll stay here, providing the same effort as before,” the developer said.

The source code for Hashcat and oclHashcat is available on GitHub. Bug fixes and new features can be submitted, but contributors must ensure that their code complies with a specified set of requirements.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...