TL;DR, What is John the Ripper?
John the Ripper is an open-source password security auditing and recovery tool.
DevSecOps and security teams constantly face the challenge of validating password policies and finding weak credentials before an attacker does. John the Ripper addresses this problem by giving you a way to audit and crack weak passwords across different systems. The tool empowers your teams to test their own defenses, ensure compliance, and prevent unauthorized access. By supporting hundreds of hash types—from modern algorithms to legacy formats—John the Ripper serves as a key tool for any open-source password audit, making sure no system is left unchecked.
Openwall originally built the tool for Unix-based systems, but John the Ripper has since grown into a multi-platform solution for Windows, macOS, and Linux.
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
At-A-Glance
GitHub: https://github.com/openwall/john
License: GPL‑2.0
Primary Language: C
Stars: 12k ⭐
Last Release: 1.9.0-jumbo-1
Topics/Tags: password-cracker, security, auditing, forensics
Common use cases
1. Security Auditing and Policy Enforcement: You can use John the Ripper as a password audit tool to test the strength of your users' passwords. By running the tool against your own password databases, you can identify weak or common credentials that violate security policies. Auditing passwords helps with policy enforcement by providing clear data on non-compliant accounts, letting IT teams require password changes before an attacker can exploit them. Performing this audit is a key part of maintaining a strong security posture.
2. Penetration Testing and Red Teaming: Penetration testers and red teams use John the Ripper for post-exploitation activities. After gaining initial access and extracting password hashes from a system, testers use the tool to crack those hashes. Successfully cracking passwords lets them show the impact of a breach, escalate privileges, move across the network, and access sensitive data.
3. Incident Response and Digital Forensics: During a security incident investigation, forensic analysts might recover password hashes from compromised systems or malware. Analysts use John the Ripper to crack these hashes and uncover the attacker's credentials. Recovering credentials helps you understand the attacker's movements, identify other compromised accounts, determine the scope of the breach, and learn about the attacker's methods.
4. Administrative Password Recovery: Beyond security testing, John the Ripper also serves an administrative function. System administrators can use the tool to recover passwords for encrypted files, archives, or local system accounts when a password has been lost. Recovering lost passwords can help you regain access to critical business data or legacy systems where a password reset isn't possible, preventing data loss and downtime.
5. Automated DevSecOps Integration: You can add John the Ripper into your CI/CD pipelines to perform automated security checks. The process can involve testing default application passwords or validating the strength of hashing algorithms. Doing so helps you catch and fix security flaws early in development.
How does John the Ripper work?
John the Ripper begins by reading password hashes from an input file. The tool's detection engine automatically identifies the hash format, though you can also specify the format manually. Based on your selected attack mode—such as a wordlist or incremental brute-force—the core engine generates password candidates. Each candidate is then hashed and compared against the target hashes. A successful match is logged, and the process continues until all candidates are checked.
Versatile Cracking Modes: JtR uses multiple attack strategies, from dictionary-based attacks (wordlist mode) and simple transformations (single mode) to brute-force (incremental mode) and custom rule-based attacks (external mode).
Modular Hash Support: The tool's architecture uses format-specific modules to handle many hash types, from legacy Unix DES to modern algorithms.
Performance Optimization: To speed up cracking, the tool uses advanced CPU instructions (SIMD) and can offload heavy computations to GPUs using OpenCL for compatible formats.
Session & Results Management: JtR automatically saves its progress, letting you pause and resume cracking sessions. The tool stores all recovered passwords in a central "pot file" to avoid re-cracking them.
Core Capabilities:
1. Comprehensive Hash and Cipher Support: John the Ripper is known for its compatibility with hundreds of hash and cipher types. John the Ripper's compatibility includes formats from Unix/Linux systems (DES, MD5, SHA-512), Windows (LM, NTLM), databases (MySQL, Oracle), and web applications like WordPress and Drupal. The tool can also crack passwords for encrypted files like ZIP, RAR, and PDF, and even private SSH keys. Such broad support makes John the Ripper a key open-source password audit tool for different types of IT systems, letting security teams consolidate their testing efforts. The community-driven "jumbo" version expands this support to keep the tool current with new standards and application formats.
2. Advanced and Flexible Attack Modes: The tool offers a suite of attack strategies for different scenarios. "Single crack" mode quickly tests for simple passwords based on username information. "Wordlist" mode, a common strategy, uses dictionaries and a rules engine to apply mutations like character substitutions, case changes, and adding numbers. For unknown password patterns, "incremental" mode performs a brute-force attack across a defined character set. Finally, "external" mode provides more flexibility by letting you define custom attack logic using scripts. A multi-modal approach lets security professionals create customized and efficient cracking sessions that match specific password policies or attacker techniques.
3. High-Performance Hardware Acceleration: To reduce the time needed for password cracking, John the Ripper uses SIMD instruction sets like AVX2 and AVX-512 for CPU-based acceleration. John the Ripper also has OpenCL support, letting it offload the heavy workload to GPUs, which can test billions of password candidates per second. The software automatically detects and uses available hardware, including multiple CPU cores and GPUs. You can even configure it for distributed cracking across a network of machines.
4. Robust Session Management: Password cracking can be a long process, sometimes running for days or weeks. John the Ripper addresses this issue with its session management features. John the Ripper automatically saves its progress, letting an operator pause and resume a cracking session at any time without losing work. All cracked passwords are saved to a central "pot file" (john.pot), which prevents the tool from re-cracking known passwords. During a session, you can get real-time status updates, including cracking speed, the number of hashes cracked, and the estimated time to completion.
5. Extensible Architecture: John the Ripper is designed to be modular and extensible. You can customize its behavior through configuration files and user-defined rule sets. For integration into larger security workflows, the tool provides a command-line interface and structured output, making it easy to add John the Ripper into automated security testing pipelines or custom forensic analysis scripts. A key part of its ecosystem is the collection of `*2john` helper scripts, which extract hash data from many file types and applications, from office documents to database backups.
Limitations
1. Steep Learning Curve: John the Ripper is a command-line tool with many options, modes, and configuration settings. For newcomers, understanding the syntax for different attack modes, creating custom rules, and using the `*2john` utilities correctly can be a challenge. You will likely need to study the documentation or find a tutorial to use the tool well.
2. Requires Elevated System Privileges: Auditing system passwords requires access to the password hashes. On most operating systems, hashes are stored in protected files, like the `/etc/shadow` file on Linux or the SAM database on Windows. To access and extract these files, an operator must have administrator or root-level privileges on the target system. This requirement is not a flaw in the tool, but rather an operational necessity that limits its use to authorized staff.
3. Computationally Resource-Intensive: Modern password hashing algorithms are designed to be slow to resist brute-force attacks. As a result, running John the Ripper, especially against strong hashes, is a resource-intensive task. The tool can use all the power of multi-core CPUs and high-end GPUs for long periods, consuming a lot of electricity. Large-scale audits may require dedicated hardware to finish in reasonable time.
4. Effectiveness is Input-Dependent: The tool's success depends on the quality of the inputs you provide. In wordlist mode, its effectiveness relies entirely on the quality of the dictionary files used. If a password isn't in the wordlist or can't be generated by the applied rules, the attack will fail. Likewise, poorly made rules or an incorrect character set in incremental mode will waste resources and may not find the correct password.
5. Lacks a Native Graphical User Interface (GUI): John the Ripper is designed as a command-line utility and does not have an official graphical user interface. While third-party GUI wrappers like "Johnny" exist, they may not offer all the core tool's advanced features, and they might not be as up-to-date. The CLI-first approach, while good for scripting and experienced users, can make John the Ripper less accessible for users who prefer a visual interface.
Running John the Ripper to audit password strength is a great first step, but to prioritize the results, you need cloud context. While John the Ripper tells you which passwords are weak, Wiz shows you which ones pose a genuine risk. By connecting a weak credential to its cloud permissions and potential attack paths to sensitive data, you can immediately see and fix the exposures that truly matter.
Getting Started:
Step 1: Download the latest John the Ripper source or binaries for your platform from https://www.openwall.com/john/ or the official GitHub releases
Step 2: If you are using the source code, extract the archive and compile John using:
./configure
make
Step 3: To run John for the first time on a password file, use:
john passwd - Replace 'passwd' with the path to your password file
Step 4: Review cracked passwords after the run with:
john --show passwd
Step 5: For more information, read the documentation in the 'doc' directory or run:
john --help
FAQs
Verified John the Ripper User Reviews
Positive Reviews
"John the ripper is basically best and stable tool for zip, txt etc ... but its one condition your cpu much stable for this tool. If u have so then john is the universal of everything ❤️" [Mission-Swing-4247] - r/KaliLinux_Hacking
Negative Reviews
For starts, I would recommend moving to hashcat over johntheripper. With even a very modest GPU, hashcat will blow jtr out of the water when it comes to speed." rexstuff1 - r/AskNetsec
Alternatives
| Tool | John the Ripper | Hashcat |
|---|---|---|
| Primary Focus | CPU-based password cracking with GPU support | GPU-based password cracking with CPU support |
| License | GPL-2.0 | MIT |
| Primary Language | C | C |
| Actively Maintained | Yes | Yes |
| Key Features | Cross-platform supportMultiple attack modes (single, wordlist, incremental, external)Automatic hash type detectionSession management | Highly optimized for GPU crackingOver 300 supported hash algorithmsMultiple attack modesDistributed cracking support |
| Official Website | https://www.openwall.com/john/ | https://hashcat.net/hashcat/ |