Password Hacking Tools & Software

Content Written By Henry Dalziel, 2020

Password Cracking Tools For Use In 2020

Password cracking or ‘password hacking’ as is it more commonly referred to is a cornerstone of Cybersecurity and security in general.

Wanting to crack passwords and the security therein is likely the oldest and most in-demand skills that any InfoSec professional needs to understand and deploy.

Password hacking software has evolved tremendously over the last few years but essentially it comes down to several things: firstly, what systems are in place to prevent certain popular types of password cracking techniques (for example ‘captcha forms’ for brute force attacks), and secondly, what is the computing processing power of the hacker?

Typically password hacking involves a hacker brute-forcing their way into a website admin panel (or login page for example) and bombarding the server with millions of variations to enter the system.

That requires CPU. The faster the machine the faster the cracking process will be. Yes, a ‘clued-up’ Cybersecurity Professional will be able to prevent brute-forcing but you’ll be amazed at the number of vulnerable websites that can be forced into with the password hacking software that we’ve listed below.

Humans Are Lazy, Good News For A Hacker

We are all lazy. 

Period.

I am, you are, and you’ll find ways to make your life more efficient and easier and why shouldn’t you!

Unfortunately, convenience is something that does not play nice with Cybersecurity and especially with regards to password security. The more complex your password the more it will be difficult for a hacker to force their way into your account(s).

There are a bunch of password security measures we can all take which will greatly help your security online and many of these we already know extremely well yes few of us really adopt them. For example, do not use the same password – because should a breach happen on one system you’re entire (or potentially a large chunk) of your online presence may also be compromised.

Password Cracking ToolBrief Description / Keyword
AircrackClassic WiF Cracking Tool
Crowbar Password Cracker Brute Force Servers
John The Ripper (‘JTR’ or ‘John)’Famous Offline Password Cracking Tool
LophtcrackOld School Windows Cracking
MedusaBrute Force Hacker Tool
OphcrackRainbow Password Cracking
RainbowcrackAnother Rainbow Cracker
SolarwindsExpensive Password Stress-Tester
THC HydraClassic Free Brute Force Tool
WFuzzLike Hydra (Brute Forcing)

Aircrack

Rating: 4 out of 5.

My review of this tool is that it is a “must-learn” for any budding professional pentester; consider it as a rite of passage.

By far one of the more popular Wireless Hacking Tools in our list and one in which there are a million YouTube tutorials!

This tool ships with Kali Linux.

Aircrack-ng is a network hacking tool that consists of a packet sniffer, detector, WPA/WPA2-PSK cracker, WEP and an analysis tool for 802.11 wireless LANs.

This tool works with a wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b, and 802.11g traffic.

A new attack called “PTW” made by a team at the Darmstadt University of Technology which decreases the number of initialization vectors (IVs) needed to decrypt a WEP key has been included in the aircrack-ng suite since the 0.9 release.

Is Aircrack-ng Free?

This tool is free and you can find many tutorials about it on the internet like on how to install aircrack-ng (https://www.aircrack-ng.org/install.html).

Does Aircrack-ng Work on all Operating Systems?

This tool can run on various platforms like FreeBSD, OSX, Windows, OpenBSD, and Linux. The Linux version of this tool is packaged for OpenWrt and been ported to Maemo, Zaurus and Android platforms; and a proof of concept port has been made to iPhones.

What are the Typical Uses for Aircrack-ng?

This tool focuses on areas of Wifi Security which includes monitoring which captures packets and exports the data to text files for processing by 3rd party tools. Replaying attacks, fake access points, deauthentication by using packet injection. Testing of wifi cards and driver capabilities via capture and injection and cracking of WPA and WPA PSK (WPA 1 and WPA 2).


Crowbar Password Tool

Rating: 3 out of 5.

It’s a little tricky to get going but once you realize the power that Crowbar packs then you’ll be brute-forcing your way into any server you wish.

Crowbar is one of the brute force attacking tools that provides you an opportunity to be in control of what is submitted to a web server.

It doesn’t try to identify a positive response like hitting a correct username or password combination but it rather tells you to give a “baseline” – the content of response and content of the baseline are then compared.

Is Crowbar Free?

Yes, Crowbar is currently free.

Does Crowbar Work on all Operating Systems?

Crowbar works with Linux operating systems.

What are the Typical Uses for Crowbar?

This brute-forcing tool is commonly used during penetration tests and is developed to support protocols that are currently not supported by other brute-forcing tools. Currently, this tool supports remote Desktop Protocol with NLA support, VNC key authentication, open VPN and SSH private key authentication.


John The Ripper (‘JTR’ or ‘John)’

Rating: 4 out of 5.

John The Ripper is perhaps the best-known password cracking (hacking) tool out there, and that’s why it will always be in my ‘2020 Top Ten Hacking Tools’ post.

Aside from having the best possible name, I love John, as it is affectionately known because simply said, it works and is highly effective. John The Ripper is, like Metasploit, also part of the Rapid7 family of pentesting/ hacking tools.

How do Password Crackers Work?

In cryptanalysis, (which is the study of cryptographic systems in order to attempt to understand how it operates, and, as hackers, we’ll try to see if there are any vulnerabilities that will allow them to be broken, with or without the hash/ password key).

Password cracking is the process of recovering or hacking passwords from data that have been stored in or has been transmitted by a computer system or within a network.

One of the most common types of password hacking is known as a ‘brute-force attack.’ which, simply said, is the process in which a computer system guesses for the correct by cross-checking against an available cryptographic hash of the password. If the brute force attack is against clear-text words then the process derives from a ‘dictionary-attack’.

If the password is guessed using password hashes (which is faster), then the user process would be a ‘rainbow’ table.

If you work in Cyber Security or are looking to get started in the profession, then it is ‘a must’ that you learn certain aspects of cryptography.

We’d therefore strongly suggest that you learn, and try to crack, offline passwords using John The Ripper.

How does John The Ripper compare to THC Hydra?

THC Hydra, or simply ‘Hydra’, is another very popular password hacking tool that is often referred to in the same context as John The Ripper. The easiest way to describe the difference between John The Ripper (JTR) and THC Hydra is that JTR is an offline password cracker whilst Hydra is an online password cracker.

Is John The Ripper Free?

Both. There is a very popular free version of John The Ripper, and also a ‘pro’ version. John the Ripper commercial version is used by penetration testers that are interested in password cracking specific operating systems. The commercial version optimized for performance and speed. For the average user John The Ripper ‘open-source’ will work great, for the real hard-core user we’d certainly recommend the Pro Version, available from Rapid7.

Does John The Ripper Work on all Operating Systems?

John The Ripper was originally developed for Unix operating systems but now runs on various platforms 11 of which are architecture-specific versions of DOS, Unix, BeOS, Win32, and OpenVMS.

What are Typical Uses for John The Ripper?

John the Ripper is a fast password cracker. Period. In fact, you can consider John The Ripper as ‘the definitive’ password hacking tool!

In Summary

In summary, this extremely popular password cracking software tool is a behemoth within its’ category.

This tool now works on, literally, every single platform you can think of.

Users of this software love it, primarily for two specific reasons; firstly, because you can combine it with other password crackers, and secondly because it can autodetect password hash types through its customizable cracking functionality.

This tool can easily be executed against various encrypted password formats including (but not limited to) several crypt password hash types most commonly found on various Unix versions (such as DES, MD5, or Blowfish, Kerberos AFS, etc).

Like other tools such as Metasploit and Nmap, John The Ripper (JTR) can have its performance enhanced by adding extra modules.


Lophtcrack

Rating: 3 out of 5.

L0phtCrack is a recovery and password auditing tool originally created by Mudge – a hacker who has been in the game for a long time. My review is a little limited if I’m honest but from what I heard and saw of it several years ago now was impressive.

It tries to crack Windows passwords from obtained hashes from stand-alone Windows workstation, primary domain controllers, networked servers or Active Directory. It can sometimes sniff hashes off the wire. This tool also has several methods of generating password guesses.

Is L0phtCrack Free?

Nope. There are three versions available for L0phtCrack: Professional, Administrator, and Consultant are available for purchase.

Does L0phtCrack Work on all Operating Systems?

No, It only works for Microsoft Windows.

What are the Typical Uses for L0phtCrack?

L0phtCrack is used to recover lost Microsoft Windows passwords or to test someone’s password strength. It uses brute force, rainbow tables, hybrid, dictionary attacks, and a combination therein. Even if this one of the tools of choice, crackers use old versions because of their high availability and low price.


Medusa

Rating: 3 out of 5.

The best thing about this password cracker is its’ speed. I was running a low spec machine and it was able to brute-force into a local machine I had on my network with a relatively difficult password.

Medusa is created to be a massively parallel, modular, speedy, and login brute forcer.

The aim is to support a lot of services that will allow remote authentication.

Key features of this tool include thread-based parallel testing – Brute force testing can be performed against multiple hosts, passwords or users. Flexible user input – Target information can be specified in different ways.

One example is that for each item, it can be either a single entry or file containing multiple entries and Modular design – Every independent mod file exists in each service mod file. This means that no modifications are needed to the core application in order to extend the list of supported services for brute-forcing.

Is Medusa Free?

Yes, Medusa is free to use.

Does Medusa Work on all Operating Systems?

Medusa works on Linux and MAC OS X operating systems.

What are the Typical Uses for Medusa?

Just like THC Hydra, this tool focuses on cracking passwords by brute force attack. This tool can perform rapid attacks against a large number of protocols that include telnet, http, https, databases and smb.


Ophcrack

Rating: 2 out of 5.

I found it a little tricky to get going but that was my own experience and not a reflection on the longevity of this password too. I couldn’t get it to work to break in a Windows XP box but that might have been my settings – so please do experiment yourself!

Ophcrack is a rainbow-table based password cracker. This tool can import hashes from different formats included dumping directly from the SAM files of Windows.

Some Rainbow tables are free to download but if you want larger ones, you can buy it from Objectif Sécurité.

Is ophcrack Free?

Yes!

Does ophcrack Work on all Operating Systems?

This tool works on Linux, Microsoft Windows and MAC OS X.

What are the Typical Uses for ophcrack?

The primary use of this tool is for password discovery. It can fork out simple passwords within minutes. Buying additional rainbow tables will enable you to crack complex passwords.


Rainbowcrack

Rating: 4 out of 5.

Tested and was very fast!

RainbowCrack is a hash cracker tool that makes use of a large-scale time-memory trade-off.

A common brute force cracker tries every possible plaintext one by one which is time-consuming for complex passwords but this tool uses a time-memory trade-off to do an advance cracking time computation and store results in “rainbow tables”. Password crackers take a long time to precompute tables but this tool is hundred of times faster than a brute force once it finishes the precomputation.

Is RainbowCrack Free?

Yes. RainbowCrack is free to use.

Does RainbowCrack Work on all Operating Systems?

It works on Linux, Microsoft Windows and MAC OS X (You should have mono or CrossOver for this one).

What are the Typical Uses for RainbowCrack?

The use of this tool is to crack hashes with rainbow tables that makes password cracking easier.


Solarwinds

Rating: 5 out of 5.

No Review! I’ve never used it!

SolarWinds Firewall Security Manager (FSM) is a great solution for organizations and companies who need reporting and expert management on their most critical security devices.

Set-up and configuration of this product are pretty straightforward and multi clients can be deployed to allow multiple administrators to access the system.

Is SolarWinds Free?

No. SolarWinds is a paid product offered by an excellent and well-respected company.

Does SolarWinds Work on all Operating Systems?

SolarWinds works on Windows operating systems.

What are the Typical Uses for SolarWinds?

Uses of this tool include network discovery scanners, router password decryption, SNMP brute force cracker, and TCP connection reset program.


THC Hydra

Rating: 5 out of 5.

10/10 – amazing.

I even interviewed the developer!

THC Hydra is a password cracking tool that can perform very fast dictionary attacks against more than fifty protocols.

It is a fast and stable Network Login Hacking Tool which uses a dictionary or brute-force attacks to try various password and login combinations against a login page.

Is THC Hydra free?

Yes! THC Hydra is free. This tool is a proof of concept code giving researchers and security consultants the possibility to know how easy it would be to gain unauthorized access from remote to a system.

Does THC Hydra Work on all Operating Systems?

Hydra was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) and OSX.

What are the Typical uses for THC Hydra?

Hydra is used as a parallelized login cracker which supports numerous protocols to attack. New modules are easy to add. This tool shows how easy it would be to gain unauthorized access to a system remotely.


WFuzz

Rating: 5 out of 5.

No Review! I’ve never used it!

Wfuzz is a hacking tool use created to brute force Web Applications.

Some of the features of this tool include multiple Injection points capability with multiple dictionaries, output to HTML, recursion (When doing directory bruteforce), colored output, post, headers and authentication data brute forcing, cookies fuzzing, time delays between requests, SOCK support, authentication support (NTLM, Basic), proxy support, payload combinations with iterators, HEAD scan (faster for resource discovery), brute force HTTP methods, multiple proxy support (each request through a different proxy) and hide results by return code, word numbers, line numbers, regex.

Is Wfuzz Free?

Yes! Wfuzz is free.

Does Wfuzz Work on all Operating Systems?

It works on Linux, Windows and MAC OS X operating systems.

What are the Typical Uses for Wfuzz?

This tool is used to brute force Web Applications and can be used to find resources not linked (servlets, directories, scripts, etc.), POST parameters for various injections like SQL, LDAP, XSS, form parameters brute-forcing (username/password), fuzzing and a lot more.


FAQ

How Hard Is It To Break A Password Composed Of 8 Characters?

The accepted answers are that of course, it depends on the processing power of your machine (or the system that is running the password hacking method). To put that into numbers, if you’re on a basic low-spec computer that was running a brute-force hack then it will take (1.7*10^-6 * 52^8) seconds / 2, or 1.44 years. The faster the processor the less that number becomes. A supercomputer or a botnet powered tool would take a lot less time (maybe about ten minutes at best). The moral of the story here is to have a complex password that is longer than eight characters.

How Can I Hack A Password?

Brute Force Attack and social engineering scams are the two easiest and best-known methods of being able to hack passwords. Most password cracking tools can crack simple passwords by guessing a specific number of passwords (see tools like cup.py). Hackers use tools listed within our resource that will try to crack passwords by simply entering different passwords over and over until it’s cracked. There’s more to it than this but essentially that’s how passwords are cracked. The other solution is social engineering. Uber was hacked, for example, because some developers left login credentials on their GitHub account. Such an error was human, but the access to their GitHub account was likely due to social engineering.

What Are Five Recognized Processes Of Hacking?

The five stages are: Reconnaissance > Scanning > Gaining Access > Maintaining Access > Covering Tracks.

Can I Hacked A Computer By Just Using An Ip Address?

Yes and no.

Yes, because of its practice you certainly can scan the IP to see what’s on it and from that information launch at attack but likely that will be very difficult because even rudimentary client-facing ports (IP Addresses) will have some form of firewall or packet filtering.

Also, typically, a semi-decent Firewall will be able to instantly detect a Nmap scan (for example) and block the origin IP and subsequently rotated IP’s. An expert hacker or Penetration Tester can send creative packets to test the system and may be able to penetrate the network or IP Address. In summary, therefore, the best answer is: it depends!

Is It Possible To Hack A Mobile?

Yes, but it would require a significant skill. There is a multitude of ways to hack into someone’s phone. The easiest way would be to get the target to download a vulnerable “mobile app” that could then be used to remotely access that targets phone.

Also, this question is almost impossible to answer in a “yes” or “no” but in summary, I’d say that a mobile phone (iOS or Android) is, of course, a computer and therefore can be hacked so I’d lean towards always saying “yes” mobile phone can be hacked. How easy that is, of course, depends on a wide range of factors.

How Hard Is It To Break A Password?

The answer here is that it totally depends. Using creative hacking tools you can create specific dictionary attacks based upon your target which would be really focused on getting the correct pattern or likely passwords. Such an attack would be referred to as a “Brute Force” attack. So, in summary – the harder the password the harder it is to crack! Get creative and have unique passwords per account.

Can I Hack A 4 Digit Pin In A Short Period Of Time?

Based upon research we’ve looked at here at Concise Courses each PIN entry can take about 40 seconds to execute. Based upon that metric it would take over 112 to brute force a 4 digit PIN.

What Is The Primary Stage Of Password Hacking?

The first step of password hacking is known as “Footprinting (Reconnaissance) or “Information Gathering”. This phase is also known as OSINT (Open Source Intelligence) where the hacker (or “Ethical Hacker”) would collect as much information as possible about their target and with regards to password cracking they’d have to create their own unique rainbow/password list.

Henry, "HMFIC"

I'm Henry, the guy behind this site. I fancy myself as a bit of a Cyber Expert Specialist and I've been Growth Hacking since 2002, yep, that long...

110 thoughts on “Password Hacking Tools & Software

      1. Are you’re using Linux? If so then simply spin up a VirtualMachine and install a distro like Kali Linux, Backbox, Parrot or Dark Arch (or something like that) and most of these tools can with the distro.

    1. Not sure if I do – if it were me and I had permission to do it, I’d set up a dummy FB page and send the target to sign up and when the correct password was entered they’d be sent an error page and then to the correct FB page to login. Classic, but effective.

  1. I need to recover the password for a MacOSx dmg. I know which possible characters I used when I generated the password but I don’t which exactly are in there. Would any of the above tools help?

  2. Would any of the above software’s be able to figure out the password to log in to my bank account (online banking)? I know the username and can only remember half of the password. (Long story short, it was a joint account, my husband died, not from this country, having issues dealing with the bank for 3 months now, etc.). If not, do you know any at all?

    1. I’d say no. Firstly what you are trying to do is illegal and will get you into a lot of trouble if caught. Just contact the bank and ask them directly? Surely the loss of your husband (sorry to hear that) will facilitate access to the bank account.

        1. A password permutation generator would be the best approach probably. When it comes to “Hacking Instagram” you’re of course referring doing so for educational purposes with their permission?

    1. First of all I wanna say you no! Don’t do that cuz its not a good idea if you are not a hacking student.
      Secondly, its not legal. So don’t.
      Thirdly, if you in search of Facebook cracking software than you should wrote in Google that you want a Facebook cracking software particularly with description.

      You can use truthSpy, keylogger as Facebook cracking software or you can do phissing attack, and many more software or methods you can get from google.

    1. Then email enumeration is your goal. Discover similar email structures. Is this for a company account? Of course, you’d only do this under a testing environment to demonstrate how easy it can be to hack someone’s email account.

      1. A pleasant morning sir, I am currently taking BSIT in my University right now. What can you recommend for me to begin with to learn defensive hacking, I want to be ahead on our class. Thank you.

    1. Patch it up with her – don’t hack her account. If you want to hack your wife’s account there sounds like there’s a lot of distrust. Gaining authorized access is not recommended. Sorry, can’t help you with that.

  3. Hi, I just need to read a recovery email address from an email provider, which is half hidden under dots, when I click password forgotten. Complex situation but the reason is my partner recently died and I would like to retrieve pictures he has stored online, which I believe are on that email. Please, please get in touch. I am happy to explain more. I even have a bunch of his passwords because they were saved on our laptop, but that one in particular was not saved recently, so not on the laptop.

  4. Please i have liked your answers and i admire sir to be like you. i want to become a computer wizard but i have failed to find someone to help me. i just have my laptop but i don’t know how to do it. Can i get your help sir and teach me some tips how to put my laptop in use?

  5. I have an old email account, unfortunately I forgot my password sometime back.

    I had it set up where it would send an SMS message to my phone to change the password but I no longer have the phone and Yahoo! Any help you could give me would be greatly appreciated…

    1. Hi Kurt – not sure that I can help. If you lost the phone then I’m not sure how you’d be able to see an SMS Text ID that came out of it. Sorry that I can’t help.

  6. I forgot my new FB password.How can I will get my new password .Please help me . I know the olp password only.

  7. I cannot sign in to my Instagram acc. already tried to reset password but failed. Can somebody help me pls? I’d really appreciate it

  8. What is a good password hacking program for Folder Lock 7? DO NOT NEED THE MASTER PASSWORD. Need to crack a folder in a folder password that I forgot. Any suggestions.

  9. I do not know the password for one of the IP Cameras on this domain its user name is root and it is not the default or normal passwords we would us of course I know the IP. Will one of these hacking programs work?

  10. Buon giorno,
    Sto cercando uno strumento che mi permetta di cracker la psw admin di un server online per valutarne la vulnerabilità, quale tra questi mi consigliereste?

  11. Hello, pls is there a way to crack a password through email lists? Like loading some email leads in a cracking tools to crack their passwords. Is that possible? Is there any cracking software for that? Thx

    1. Yes of course. The tool you want to take a look at is cupp.py and create your own password lists. With regards to “email lists” that is only, possibly, helpful for enumeration and usernames for your target.

  12. Hello sir, i have a flk file whihc is a 100 gb file created by folder lock software v7.1.8 which i created back in 2013, unfortunately i dont remmember my password, is there any way to recover my files or password for it?
    Thanks in advance

  13. I would like to find out someones discord password, if there is something here that can do that please tell me which one and how to download it

  14. My Hotmail and facebook account was hacked and I reset the password but the account has been hacked again. The “No Reset” option is not working as settings and data have been changed. Now i know my user id and the old password. Please help before someone uses it for criminal purpose.

    1. Sunny it sounds like your accounts have been compromised. Contact Hotmail and Facebook and explain it to them directly. If you are legit – which you are – then you will be well received.

    1. The short answer is that I don’t know but I will keep your question here in case anybody is able to chime in and help. I can tell you to be careful though! There are tons of scams out there so don’t pay anyone!

  15. I have a thumb drive that I forgot the password. It was set up a year ago I believe with BitLocker. How can I get the Password? I don’t have the recovery key

    1. YouTube is your friend. Some tools have better tutorials than others of course. What in particular are you trying to learn?

  16. Man I forgot my Facebook password after I changed it a couple months ago and the only recovery tool I have is my 15 year old yahoo mail email and I have no idea what it is either I know I set the password on my Facebook app on my phone is there a way to pull that information or pull up old key logs on my phones history?

    1. What problem do you have? What account are you referring to? Are you trying to regain access to Microsoft Outlook Account or similar?

  17. Hi Henry, Sir I want to know do u run any YouTube tutorial channel, where I can subscribe to your channel and learn something useful… Thanks

  18. Hi Henry, i have a file zipped with a password, the encryption method is AES 192 or 256, not shure. Do you think this is a good method to keep sensitive information or not? Do you suggest any other method that it is safer. i’m using ubuntu linux.

  19. I’ve been reading many of your posts and I enjoy your content, I’ll definitely bookmark your site.

  20. hello, I have several old accounts and apps that I was going to use to learn. figured it was a safe route to take. which tools would you suggest to get passwords for a Myspace account, AT&T wireless account, or my old Match.com?

Leave a Reply to Luckkett Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Content