This page has been updated for 2021.
Passwords are a weak link in enterprise security. As users struggle with requirements for complex passwords and password managers, bad habits multiply: post-it notes on screens, Word docs with passwords listed, retaining default passwords, reused passwords, and other workarounds.
That’s why cyber criminals go after passwords so often. Once a hacker steals credentials, they can enter sensitive systems or wait in ambush to stage a devastating attack against a prized asset. And because users tend to reuse passwords, they attempt to crack other systems and websites with them too in password spraying and credential stuffing attacks. It’s enough to make you want to go passwordless.
Penetration testing, therefore, pays close attention to password cracking. John the Ripper is a free, easy-to-use, open-source tool that takes the best aspects of various password crackers and unites them into one package. As such it can be harnessed by pen testers to detect weak passwords and find a way into a system or database.
See our complete list of top penetration testing tools.
What is John the Ripper?
John the Ripper is an open-source password cracking tool that organizations can use to test the strength of their passwords. It was originally released in 1996 for Unix, but it now works on 15 operating systems, including Linux, Microsoft Windows, and macOS. It can use both brute force and dictionary attacks to identify passwords
There is also a Pro version that is better tailored to Linux and Mac OS X operating systems. It supports several additional password hash types.
|Type of tool||Password cracker|
|Differentiator||It is a free tool that is easy to use and is aimed squarely at password cracking.|
|What it can’t do||Vulnerability analysis and test for other areas of penetration beyond passwords.|
How John the Ripper Works
John the Ripper uses a combination of brute force attacks and dictionary attacks to crack passwords. First, however, penetration testers can use the single-crack mode to determine a password based on other factors in the credential file, like username or the users’ full name. For example, for user John Doe, it would look for John, Doe, and common number sequences like 123.
Then, it runs through other common passwords on its wordlist. If neither of those methods works, it moves onto the brute force and dictionary attack options.
Brute Force Attacks
With brute force attacks, penetration testers must first configure the tool to give it some password parameters, including the types of characters the password must or cannot include and minimum and maximum lengths. John the Ripper then works through every possible password that falls into those parameters until it finds the right one. This process can be very slow depending on the strength of the password.
John the Ripper works by using the dictionary method favored by attackers as the easiest way to guess a password. It takes text string samples from a word list using common dictionary words or common passwords. It can also deal with encrypted passwords, and address online and offline attacks.
Bottom Line: John the Ripper is a Supplement, Not a Solution
John the Ripper is a fine tool for checking on password vulnerability, but it should be viewed as more of a supplemental tool than a primary one in the penetration arsenal. As it combines several approaches to password cracking into one, it is well worth trying out. However, passwords aren’t the only vulnerability that many organizations face, so penetration testers need other software at their disposal.
Read next: 13 Best Vulnerability Scanner Tools of 2021