Passwords are the most attacked credential type in the world. Understanding how they get cracked makes you dramatically better at defending them. This project ran Hashcat against a set of extracted hashes in a lab environment — and the results were eye-opening.
Ethics first: Only ever run Hashcat against hashes you generated yourself or have explicit authorisation to test. Cracking hashes from systems you do not own is illegal. This project used hashes generated from known test passwords in an isolated VirtualBox lab.
How Password Hashing Works
When you set a password, the system does not store the password itself — it stores a hash: the output of a one-way mathematical function. When you log in, the system hashes your input and compares it to the stored hash. If they match, you're in.
Common hash types you will encounter:
- NTLM — used by Windows. Fast to compute, which makes it fast to crack.
- bcrypt — deliberately slow. Industry standard for web applications.
- MD5 — cryptographically broken and trivially crackable. Still widely found in legacy systems.
- SHA-256 — fast and used for file integrity, but not ideal for passwords without a slow work factor added.
Setting Up Hashcat
Hashcat runs on GPU, which is dramatically faster than CPU for cracking. On a modern GPU, it can test billions of MD5 hashes per second. Install from hashcat.net — it runs on Windows, Linux, and macOS.
Generate some test hashes in your lab:
# Generate NTLM hashes for known passwords (Linux)
echo -n "Password123" | iconv -t utf-16le | openssl md4
# Or use Python
python3 -c "import hashlib; print(hashlib.new('md4', 'Password123'.encode('utf-16le')).hexdigest())"Attack Mode 0 — Wordlist Attack
The simplest and most effective attack. Hashcat takes a list of common passwords, hashes each one, and compares against your target hash.
hashcat -m 1000 -a 0 hashes.txt rockyou.txtWhere -m 1000 is the NTLM hash mode and rockyou.txt is the 14-million-entry password list from the 2009 RockYou breach. In my lab test, every "common" password (Password123, Summer2023!, Welcome1) cracked in under 2 seconds against NTLM.
Attack Mode 3 — Brute Force with Rules
Rules apply transformations to wordlist entries — capitalise the first letter, append a number, substitute letters for symbols. This is how "password" becomes "P@ssw0rd1!":
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r rules/best64.ruleThe best64.rule file applies the 64 most statistically effective transformations. This cracked every "leetspeak" variation of common words in my test set within minutes.
Attack Mode 6 — Hybrid (Wordlist + Mask)
Appends or prepends a pattern to each wordlist entry. Many corporate password policies require a number and symbol at the end — users comply with the minimum, creating predictable patterns:
# Try wordlist entries with 2 digits and 1 symbol appended
hashcat -m 1000 -a 6 hashes.txt rockyou.txt ?d?d?sThis cracked "summer23!" in 4 minutes despite it technically meeting a "strong" 9-character policy.
What the Results Revealed
Every hash I tested that used a real English word as its base — regardless of complexity rules applied — cracked within an hour. The passwords that did not crack quickly had two things in common:
- Genuine randomness — not words, not patterns, not dates
- Length > 16 characters — even a mediocre long passphrase (correct-horse-battery-staple style) resists wordlist attacks
Why This Matters for Security Policy
Most corporate password policies are security theatre. Requiring "at least 8 characters with uppercase, number, and symbol" produces passwords like Summer23! — which cracks in minutes. The actual recommendations from NIST SP 800-63B (now adopted in Australian cybersecurity guidance) are:
- Minimum 12 characters (longer is better)
- No mandatory complexity rules — they produce predictable patterns
- Block passwords that appear in breach databases
- MFA is more effective than any password complexity rule
Running this project gave me first-hand evidence to back these recommendations in any interview or workplace conversation. It is one thing to read NIST guidance; it is another to watch "P@ssw0rd1" crack in 3 seconds.