- by x32x01 ||
Password security testing is a core part of any authorized cybersecurity assessment. Good password audits help teams evaluate password policy strength, spot weak hashes, and improve credential protection before attackers exploit them. This guide covers the essential tools pros use, with simple command examples, workflow tips, and practical notes so you can run fast, repeatable, and ethical password checks. 
Hashcat - high-performance hash cracking
Hashcat is the go-to GPU-accelerated cracking tool. It supports a huge list of hash types and attack modes (dictionary, combinator, mask, rule-based, hybrid). Use Hashcat when you want to test how long it takes to crack password hashes with real-world GPU power.
Example: run a dictionary + rules attack against an NTLM hash file:
Tip: always identify the hash type first (see Hash Identifier below) and tune masks for the organization’s password policy to get realistic estimates.
John the Ripper - flexible open-source suite
John the Ripper is a versatile cracking suite with good CPU-based performance and lots of community formats. It’s great for mixed environments or where GPUs aren’t available.
Example: run John with a wordlist and incremental mode:
Use John to test password policies locally and to validate how legacy systems might hold up under offline attacks.
THC Hydra - online authentication testing
THC Hydra tests online services by attempting logins against protocols like SSH, FTP, HTTP forms, SMB, and more. It simulates credential stuffing or brute force against live endpoints - use with extreme care and always inside scope.
Example: test SSH with a username and password list:
Important: respect rate-limits and lockout policies to avoid service disruption. For accurate assessment, coordinate with ops for safe test windows.
Ophcrack & Rainbow Crack - precomputed table techniques
Ophcrack and Rainbow Crack use precomputed tables (rainbow tables) to quickly recover some types of hashes. They’re useful in research and legacy system analysis where weak salts or unsalted hashes appear.
Example (Rainbow Crack basic usage conceptually):
These methods are less effective on salted hashes, but still valuable for historical systems and compliance checks.
Aircrack-ng - network authentication & Wi-Fi checks
Aircrack-ng specializes in Wi-Fi encryption assessment (WEP/WPA/WPA2). It captures handshakes and then attempts to crack the PSK using wordlists or PMKs. In controlled environments, it’s essential for auditing wireless credential strength.
Basic flow:
Cain & Abel - legacy Windows password auditing
Cain & Abel is older Windows-focused recovery software that includes ARP spoofing, LLMNR/NBT-NS poisoning, and offline hash analysis. It’s mostly legacy now, but can be useful in labs and red-team scenarios for learning attack chains on older Windows environments.
Note: Cain & Abel is Windows-only and flagged by many AV products; use it in isolated test setups.
Burp Suite - web credential testing and workflow
Burp Suite is a comprehensive web testing platform. For password assessments, Burp helps you:
Quick approach: intercept a login request, send it to Intruder (or Turbo Intruder) with a username list and a password list, and configure throttling to respect rate limits.
Hash Identifier - identify hash algorithms
Before cracking, identify the hash type. Hash Identifier (or tools like hashid) help map a hash string to possible algorithms so you choose the right cracking mode.
Example:
Accurate identification saves time and avoids ineffective cracking attempts.
Practical workflow for password assessments
This mask targets one uppercase then lowercase characters and digits - much faster and realistic than a full brute force.
Reporting and remediation tips
Why password audits matter
Passwords are still the most common form of authentication. Weak or reused passwords, poor hashing, and exposed credentials lead to account takeover and data breaches. Password audits let you:- Measure how resistant stored hashes are to cracking.
- Test authentication endpoints under realistic conditions.
- Discover exposed credentials (in allowed scopes) and weak policies.
- Provide prioritized remediation steps to security teams.
Hashcat - high-performance hash cracking 
Hashcat is the go-to GPU-accelerated cracking tool. It supports a huge list of hash types and attack modes (dictionary, combinator, mask, rule-based, hybrid). Use Hashcat when you want to test how long it takes to crack password hashes with real-world GPU power.Example: run a dictionary + rules attack against an NTLM hash file:
Code:
hashcat -m 1000 -a 0 -r rules/best64.rule hashes.txt rockyou.txt --session=pass_audit-m 1000= NTLM,-a 0= straight dictionary,-r= rule file.- Save session state so you can pause/resume long jobs.
Tip: always identify the hash type first (see Hash Identifier below) and tune masks for the organization’s password policy to get realistic estimates.
John the Ripper - flexible open-source suite 
John the Ripper is a versatile cracking suite with good CPU-based performance and lots of community formats. It’s great for mixed environments or where GPUs aren’t available.Example: run John with a wordlist and incremental mode:
Code:
john --wordlist=/usr/share/wordlists/rockyou.txt --rules hashes.txt
john --incremental hashes.txtUse John to test password policies locally and to validate how legacy systems might hold up under offline attacks.
THC Hydra - online authentication testing 
THC Hydra tests online services by attempting logins against protocols like SSH, FTP, HTTP forms, SMB, and more. It simulates credential stuffing or brute force against live endpoints - use with extreme care and always inside scope.Example: test SSH with a username and password list:
Code:
hydra -l admin -P /usr/share/wordlists/passwords.txt ssh://10.0.0.5 -t 4 -f-tis parallel tasks,-fstops after first valid credential found.
Important: respect rate-limits and lockout policies to avoid service disruption. For accurate assessment, coordinate with ops for safe test windows.
Ophcrack & Rainbow Crack - precomputed table techniques 
Ophcrack and Rainbow Crack use precomputed tables (rainbow tables) to quickly recover some types of hashes. They’re useful in research and legacy system analysis where weak salts or unsalted hashes appear.Example (Rainbow Crack basic usage conceptually):
- Generate or download rainbow tables for target hash type.
- Run the tool against the hash set to find matches quickly.
These methods are less effective on salted hashes, but still valuable for historical systems and compliance checks.
Aircrack-ng - network authentication & Wi-Fi checks 
Aircrack-ng specializes in Wi-Fi encryption assessment (WEP/WPA/WPA2). It captures handshakes and then attempts to crack the PSK using wordlists or PMKs. In controlled environments, it’s essential for auditing wireless credential strength.Basic flow:
- Capture handshake using
airodump-ng. - Crack handshake with
aircrack-ng -w wordlist capturefile.cap.
Cain & Abel - legacy Windows password auditing 
Cain & Abel is older Windows-focused recovery software that includes ARP spoofing, LLMNR/NBT-NS poisoning, and offline hash analysis. It’s mostly legacy now, but can be useful in labs and red-team scenarios for learning attack chains on older Windows environments.Note: Cain & Abel is Windows-only and flagged by many AV products; use it in isolated test setups.
Burp Suite - web credential testing and workflow 
Burp Suite is a comprehensive web testing platform. For password assessments, Burp helps you:- Inspect login flows and hidden parameters.
- Automate form-based brute force or credential stuffing (Intruder / new Turbo Intruder).
- Validate password policy enforcement on the client and server side.
Quick approach: intercept a login request, send it to Intruder (or Turbo Intruder) with a username list and a password list, and configure throttling to respect rate limits.
Hash Identifier - identify hash algorithms 
Before cracking, identify the hash type. Hash Identifier (or tools like hashid) help map a hash string to possible algorithms so you choose the right cracking mode.Example:
Bash:
hashid -m '5f4dcc3b5aa765d61d8327deb882cf99'
# suggests MD5 - use Hashcat/John with proper modePractical workflow for password assessments 
- Inventory & scope - list systems, hash stores, and auth endpoints (with permission).
- Identify hash types - use Hash Identifier.
- Offline cracking - run Hashcat/John with tuned masks and rules.
- Online auth testing - where allowed, use Hydra or Burp to test login policies carefully.
- Wireless checks - use Aircrack-ng only on controlled Wi-Fi networks.
- Legacy & research - apply Ophcrack, Rainbow Crack, Cain & Abel in lab settings.
- Document & report - include PoCs, time-to-crack estimates, and prioritized fixes.
Sample Hashcat mask example (practical)
If the org enforces 8-char passwords with a capital and a digit: Code:
hashcat -m 1000 hashes.txt ?u?l?l?l?l?d?d?d -w 3Reporting and remediation tips 
- Report time-to-crack with the hardware specs used for tests.
- Recommend salted, slow hashing (bcrypt/Argon2/SCrypt) over fast hashes.
- Encourage multi-factor auth (MFA) and adaptive throttling/lockout.
- Suggest password length and complexity improvements plus credential hygiene (no reuse, rotation policy tied to risk).