This guide is for security professionals, penetration testers, and IT administrators looking to learn how password-cracking attacks work and how to assess credential security in 2026. It covers how to install and use John the Ripper, key features, common use cases, and best practices for defending against password attacks.
Key takeaways for using John the Ripper in 2026
- John the Ripper is a free, open-source password-cracking tool used by penetration testers and security teams to audit password strength.
- The tool supports numerous hash types and file formats, including ZIP archives, KeePass databases, SSH keys, BitLocker volumes, and Linux password files.
- John the Ripper can quickly crack weak passwords using brute-force, dictionary attacks, and custom wordlists.
- Security teams can use John the Ripper in controlled environments to identify weak credentials before attackers do.
- Strong password policies, MFA, passkeys, and password managers remain the best defenses against password-cracking attacks.
John the Ripper is a popular password-cracking tool that can be used to perform brute-force attacks using various encryption technologies and word lists. It’s often what pen-testers and ethical hackers use to find the true passwords behind hashes.
This open-source package is free to download and features several modules for generating hashes from a range of file types, including Secure Shell (SSH) keys with ssh2john, .kbdx files with keepass2john, and password-protected zip archives with zip2john. You can then use these hashes as input to find the password with John the Ripper.
Pen-testing distributions such as Kali Linux and Parrot OS usually include the complete package so that you won’t need additional installations.
John the Ripper can demonstrate how easy it is to reveal weak passwords (and the seemingly more sophisticated ones) using a leaked database and a free tool.
Of course, it’s only one tool in the pen-tester’s arsenal, but it’s convenient to use and automates many manual operations that would otherwise need to be run.
Also read: Top Open Source Penetration Testing Tools
How to set up your test environment
You’ll need a proper lab to test the command lines. A straightforward approach is to set up a virtual machine using VirtualBox or VMWare and employ the Kali Linux OS, as it comes pre-installed with John the Ripper.
You can use the tool on other flavors of Linux as well and install with this command:
sudo apt-get install john -y
However, you may have to install additional modules manually to crack specific file types, such as zip archives. You’ll also need samples to attack, which are easy to find on platforms such as GitHub. However, Kali Linux on a virtual machine is the easiest way for you to get started with the tool.
In terms of hardware, tutorials sometimes recommend large RAM (16GB) and a good graphics processing unit (GPU). But that would be for more advanced uses so that any recent computer will do the job correctly. For our example, we won’t need a powerful machine.
How does password cracking work?
Before we dive into a practical example, you have to understand the basics of password cracking. The most popular techniques associated with password cracking are brute-force and dictionary attacks. It often occurs after stealing critical data, such as databases containing credentials. In the worst-case scenario, the credentials are in plain text, but most of the time you only get a hash.
Still, if the password is short and/or weak, John the Ripper can quickly crack such data. In general, the time required to crack passwords is directly linked to the strength of the password but, above all, its length.
That’s why experts often say these kinds of attacks are about time and calculation power, but if you don’t secure your passwords, they will be found at the speed of light. Or at least a good GPU.
How do you crack passwords with John the Ripper?
The “john” command offers an extensive range of options and flags that allow you to run accurate sessions and match the specific format and encryption of your targeted password.
The tool has built-in wordlists that automatically apply by default, but you can specify your own with –wordlist and the path to your custom wordlist.
Using only the built-in features and the MD5 hash of a weak password (not even “123456”), I was able to retrieve the true password in seconds:
echo “4f95578c0f588e028b8e2ea441fc683b” > hash.txt
john hash.txt –format=Raw-MD5
# julien2022 (?)
Cracking different file types
Supported file formats often require “prep tools” before running John. Here’s a quick reference:
| Format | Prep Tool | Sample Command | Run John |
| ZIP archive | zip2john | zip2john secret.zip > hash.txt | john –format=zip hash.txt |
| KeePass database | keepass2john | keepass2john db.kdbx > hash.txt | john hash.txt |
| SSH private key | ssh2john | ssh2john id_rsa > hash.txt | john hash.txt |
| BitLocker drive | bitlocker2john | bitlocker2john dump.bin > hash.txt | john hash.txt |
| macOS DMG image | dmg2john | dmg2john file.dmg > hash.txt | john hash.txt |
| RAR archive | rar2john | rar2john file.rar > hash.txt | john hash.txt |
| GPG private key | gpg2john | gpg2john secret.gpg > hash.txt | john hash.txt |
UNIX shadow example (realistic workflow)
A more realistic workflow involves cracking Linux system accounts. You can combine /etc/passwd and /etc/shadow files with the unshadow tool. First, ensure that permissions are restrictive by using umask 077. Next, you combine passwd and shadow into one file, then run John the Ripper against that combined file. If you stop and want to resume, you then use john –restore to rerun it.
umask 077
unshadow /etc/passwd /etc/shadow > mypasswd
john mypasswd
john –restore
How do you secure passwords against the Ripper?
The best recommendation for defending against tools like John the Ripper is to have a strong password policy, requiring MFA or by using passkeys.
Again, the length is the key. It’s the most critical point you have to check. Unfortunately, poor security policies often lead users to predictable strategies and sometimes limit passwords to eight characters or less. However, whenever possible, use longer strings.
There are security products and open-source modules that can scan your databases and enforce the use of strong passwords, as well as prompt users to update them regularly. To ease the user experience with all of those complicated passwords, use a password manager to autofill credentials or explore SSO options.
Indeed, the best password is probably the one you can’t remember, as there are known techniques to build custom wordlists based on famous songs, artists, movies and other elements, including various combinations you might find clever.
Bottom line: John the Ripper review
In my experience, John the Ripper deserves its reputation, with far more pros than cons.
Pros
- Easy to install and beginner-friendly (GUI version)
- Suitable for CPU-based cracking against smaller wordlists
- Supports a large range of encryption and formats
- Intelligence: uses sessions to remember previous results and can detect multiple hash types (Unix, Windows, Kerberos, etc.) and salts automatically
- Efficient when combined with open-source wordlists like seclists
- Can be completed with Johnny for those who prefer using a graphical user interface (GUI) instead of command lines
Cons
- Depends too much on the results of previous cyber attacks (e.g., leaks, stolen hash)
- Slower than Hashcat for GPU-based attacks
- Not optimized for distributed cracking during larger penetration test engagements
Frequently Asked Questions about John the Ripper in 2026
What is John the Ripper?
John the Ripper is an open-source password-cracking tool used to test password strength by attempting to recover passwords from hashes, encrypted files, and credential databases.
Is John the Ripper legal to use?
Yes, when used on systems, accounts, or data you own or have explicit authorization to test. Using John the Ripper against unauthorized targets may violate laws and organizational policies.
How does John the Ripper work?
John the Ripper compares password hashes against candidate passwords generated through dictionary attacks, brute-force methods, rules-based mutations, and custom wordlists until a match is found.
What file types can John the Ripper crack?
John the Ripper supports many formats, including ZIP and RAR archives, KeePass databases, SSH private keys, BitLocker volumes, GPG keys, macOS DMG files, and Linux password hashes.
Is John the Ripper better than Hashcat?
It depends on the use case. John the Ripper is known for its flexibility, ease of use, and broad format support, while Hashcat generally delivers faster performance for GPU-accelerated password cracking.
Can beginners use John the Ripper?
Yes. While command-line experience is helpful, John the Ripper is relatively beginner-friendly, and tools such as Johnny provide a graphical interface for users who prefer not to work directly in the terminal.
How can organizations defend against password-cracking tools?
Organizations should enforce strong password policies, require multifactor authentication (MFA), adopt passkeys where possible, use password managers, and regularly audit credentials for weak or compromised passwords.
Why do security teams use John the Ripper?
Security teams use John the Ripper to identify weak passwords, validate password policies, support penetration testing engagements, and better understand how attackers target credentials during real-world attacks.
Why John the Ripper still matters in 2026
John the Ripper remains one of the reliable and flexible password-cracking tools available today. Its combination of multiple modes, broad file type support, and session handling features makes it valuable not only for penetration testers but also for IT professionals who want to audit password strength in real-world conditions.
While it’s powerful, the real takeaway isn’t about breaking passwords — it’s about understanding how weak credentials can be exploited. By experimenting with John the Ripper in a controlled lab environment, security teams can better appreciate the importance of strong, unique, and regularly updated passwords.
If you’re serious about penetration testing or security auditing, John the Ripper is an essential tool to learn — but always remember to use it ethically and responsibly.
If you’d like to explore the entire lifecycle, check out our article, Penetration Testing Phases: Steps, Tools & Methodology. It walks you step-by-step through a full pentesting framework, equipping you with the methodology needed to conduct thorough and effective security assessments.
This article was originally published in September 2025 and updated in June 2026.