← Back to DevBytes

John the Ripper: Setup, Configuration, and Best Practices

Introduction to John the Ripper

John the Ripper (often abbreviated as JtR) is one of the most widely used and respected password cracking and auditing tools in the cybersecurity world. Originally developed for Unix-based systems, it has evolved into a multi-platform, multi-hash powerhouse capable of cracking dozens of different password hash types. At its core, John the Ripper is an offline password cracker that takes a hash file as input and attempts to discover the plaintext password through various attack modes including dictionary attacks, brute-force attacks, and rule-based permutations.

The tool was first released in 1996 and has been actively maintained ever since, with the "Jumbo" version incorporating community patches that expand its capabilities dramatically. It supports cracking passwords from operating system shadow files, password-protected archives, encrypted documents, database dumps, and many more sources.

Why John the Ripper Matters

Understanding John the Ripper is essential for several reasons:

John the Ripper matters because it bridges the gap between theoretical password security and practical attack vectors. A password that looks "strong" on paper may be trivial to crack when subjected to modern rule-based attacks with GPU acceleration.

Installation and Setup

🚀 Deploy your AI agent in 10 minutes

Managed Hermes hosting. Zero DevOps. 100M tokens/mo included.

Try it free →

Installing from Source on Linux/macOS

The recommended method is compiling from the latest source, which ensures you get all bleeding-edge features and optimizations for your specific hardware:

# Clone the Jumbo version (recommended for most users)
git clone https://github.com/openwall/john.git
cd john/src

# Choose the appropriate make target
# For Linux with x86_64 and SSE2 support:
make clean && make -s CFLAGS="-O2 -march=native" -j$(nproc)

# For macOS:
make clean && make macosx-x86-64

# For Linux with AVX/AVX2 support:
make clean && make -s CFLAGS="-O2 -mavx2 -march=native" -j$(nproc)

# After compilation, verify the binary works:
../run/john --help

Installing via Package Managers

For quick setups, package managers work well but may ship slightly older versions:

# Ubuntu/Debian
sudo apt update && sudo apt install john

# Fedora/RHEL
sudo dnf install john

# Arch Linux
sudo pacman -S john

# macOS with Homebrew
brew install john-jumbo

GPU Acceleration Setup

For GPU-accelerated cracking (OpenCL/CUDA), you need additional dependencies:

# Install OpenCL drivers (example for NVIDIA on Ubuntu)
sudo apt install nvidia-opencl-dev ocl-icd-opencl-dev

# For AMD GPUs, install ROCm or AMDGPU-PRO drivers
# Then configure and compile with OpenCL support

cd john/src
./configure --enable-opencl
make -s -j$(nproc)

After installation, verify OpenCL support is detected:

../run/john --list=opencl-devices

If you see your GPU listed, you're ready to leverage hardware acceleration for supported hash types.

Core Configuration

Understanding john.conf

The main configuration file is john.conf, located in the run/ directory. This file controls virtually every aspect of John's behavior — from wordlist paths and default rules to attack mode parameters and output formatting. The configuration uses a section-based INI-style syntax with square brackets defining sections and their associated parameters.

# Locate your configuration file
../run/john --help | grep "config"
# Typically: /path/to/john/run/john.conf

# View current sections
cat ../run/john.conf | grep "^\[" | head -20

Essential Configuration Sections

[Options] Section — Controls default behaviors when no command-line flags override them:

[Options]
# Default wordlist path (relative to john's run directory)
Wordlist = $JOHN/password.lst

# Enable idle output to see progress even when idle
Idle = Y

# Save progress every N seconds
Save = 600

# Log file location
LogFile = $JOHN/john.log

[Incremental:ASCII] Section — Defines the character set and length parameters for brute-force incremental mode:

[Incremental:ASCII]
File = $JOHN/ascii.chr
MinLen = 1
MaxLen = 13
CharCount = 95

You can create custom incremental modes for specific cracking scenarios. For example, a mode targeting alphanumeric passwords between 6 and 9 characters:

[Incremental:AlphaNum]
File = $JOHN/alnum.chr
MinLen = 6
MaxLen = 9
CharCount = 62
# 62 = a-z (26) + A-Z (26) + 0-9 (10)

Custom Rule Definitions

Rules are defined in the [List.Rules:rulename] sections. Here's a practical custom rule set for common password mutations:

[List.Rules:CommonMutations]
# Append common suffixes
$1$2$3
$0$1$2
$!$@$#
# Capitalize first letter and append year
c $2$0$2$4
# Leet speak substitutions
sas
sbs8
ses3
sis1
sos0
sts7
# Append single digit
$0
$1
$2
$3
$4
$5
$6
$7
$8
$9
# Prepend digit
^0
^1
^2
^3

Each line in a rule section represents a transformation applied to each word from the wordlist. The syntax uses single-character commands: $ appends a character, ^ prepends, c capitalizes, s substitutes characters, and brackets allow character classes like $[0-9] for appending any digit.

Working with Hash Files

Identifying Hash Types

Before cracking, you must identify the hash format. John can often auto-detect hash types, but explicit specification is more reliable:

# List all supported hash formats
../run/john --list=formats | head -30

# Let John attempt to auto-detect hash type in a file
../run/john --show=formats hashes.txt

# Common hash format identifiers you'll use often:
# Raw-MD5, Raw-SHA1, Raw-SHA256, Raw-SHA512
# NT (Windows NTLM)
# LM (Windows LM hashes)
# EPI, PDF, ZIP, RAR (encrypted documents/archives)
# bcrypt, sha512crypt ($6$ Unix crypt)
# PBKDF2-HMAC-SHA256, Bitcoin

Preparing Hash Files

Hash files must be in the format John expects. For standard Unix shadow files, the format is typically username:hash:

# Example: users.txt
alice:$6$salt$hashvalue
bob:$6$salt$hashvalue
charlie:$6$salt$hashvalue

# For raw hashes without usernames, simply place one hash per line:
cat raw_hashes.txt
# Output:
5d41402abc4b2a76b9719d911017c592
7b6a7c8c8e0b3c7d6e5f4a3b2c1d0e9f

For Windows NTLM hashes extracted from SAM dumps, use the format username:hash or just the hash portion:

# Typical output from tools like secretsdump.py or mimikatz
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe6750951308c0e4e7af:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

For cracking, extract only the NT hash (the long portion after the second colon) or use a tool like john with the --format=NT flag which knows how to parse these lines.

Attack Modes and Usage Examples

1. Wordlist (Dictionary) Mode

The simplest and fastest attack mode. John takes each word from a wordlist, optionally applies rules, and tests the resulting candidate against all loaded hashes:

# Basic wordlist attack with the default wordlist
../run/john hashes.txt

# Specify a custom wordlist
../run/john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# Specify hash format explicitly (more reliable)
../run/john --format=Raw-SHA256 --wordlist=rockyou.txt sha256_hashes.txt

# Apply rules during wordlist attack
../run/john --wordlist=rockyou.txt --rules=CommonMutations hashes.txt

# Use multiple wordlists and apply rules
../run/john --wordlist=rockyou.txt --rules=Jumbo --format=NT ntlm_hashes.txt

2. Single Crack Mode

This mode derives password candidates from the username and other GECOS fields. It's fast and often surprisingly effective:

# Run single crack mode (format must be user:hash)
../run/john --single users_with_hashes.txt

# Single crack with format specification
../run/john --single --format=sha512crypt shadow_file.txt

3. Incremental (Brute-Force) Mode

Incremental mode systematically tries every character combination within defined parameters. Use this as a last resort for short passwords:

# Standard incremental mode with default ASCII charset
../run/john --incremental hashes.txt

# Use a specific incremental mode defined in john.conf
../run/john --incremental=AlphaNum hashes.txt

# Limit incremental mode to specific length range
../run/john --incremental --min-length=6 --max-length=8 hashes.txt

# Incremental with format and session naming for resumability
../run/john --incremental --format=Raw-MD5 --session=md5_incr hashes.txt

4. Mask Mode (Hybrid Brute-Force)

Mask mode lets you define a pattern with placeholders, dramatically reducing the search space compared to full incremental attacks:

# Mask syntax: ?w = wordlist word, ?d = digit, ?s = special char
# ?l = lowercase letter, ?u = uppercase, ?a = any char

# Wordlist word followed by two digits (e.g., "password99")
../run/john --mask='?w?d?d' --wordlist=rockyou.txt hashes.txt

# Known pattern: 6 lowercase letters followed by 4 digits
../run/john --mask='?l?l?l?l?l?l?d?d?d?d' hashes.txt

# Custom charset: uppercase + digits, exactly 8 chars
../run/john --mask='[A-Z0-9]' --mask-length=8 hashes.txt

# Wordlist hybrid: prepend "Password" + word from list
../run/john --mask='Password?w' --wordlist=rockyou.txt hashes.txt

# Complex pattern: common prefix + 4 lowercase + 2 digits + 1 special
../run/john --mask='MyCompany?l?l?l?l?d?d?s' hashes.txt

5. PRINCE Mode

PRINCE (PRobability INfinite Chained Elements) is an advanced wordlist-based combinator attack that builds candidate passwords by combining word fragments probabilistically:

# Basic PRINCE attack
../run/john --prince=rockyou.txt hashes.txt

# PRINCE with password length limits
../run/john --prince=rockyou.txt --prince-min-length=8 --prince-max-length=12 hashes.txt

# PRINCE with custom rule filtering
../run/john --prince=rockyou.txt --prince-wordlist-max-word-length=10 hashes.txt

6. External Mode (Custom Scripting)

For highly specialized attacks, John allows custom C-like scripts in the configuration file under [List.External:name] sections:

# Define a custom external mode in john.conf
[List.External:KeyboardWalk]
# Generate keyboard walk patterns (qwerty-style sequences)
# This is a simplified example - actual keyboard walk logic would be more complex

void init() {
    /* Called once at startup */
}

int filter() {
    /* Return 0 to skip candidate, 1 to try it */
    return 1;
}

void generate() {
    /* Generate candidate passwords */
    word[0] = 'q'; word[1] = 'w'; word[2] = 'e';
    word[3] = 'r'; word[4] = 't'; word[5] = 'y';
    word[6] = 0; /* Null terminate */
}

# Use the external mode
../run/john --external=KeyboardWalk hashes.txt

Session Management and Resuming

John automatically saves progress, but explicit session management gives you fine-grained control:

# Start a named session
../run/john --session=ntlm_audit --format=NT --wordlist=rockyou.txt ntlm.txt

# Resume a previous session
../run/john --restore=ntlm_audit

# Show status of a running/paused session
../run/john --status=ntlm_audit

# List all saved sessions
ls -la ../run/john.rec* ../run/john.log*

# Show cracked passwords from a session without restarting
../run/john --show --format=NT ntlm.txt
# Output format: username:password:::

# Show all cracked passwords with their hashes
../run/john --show=types ntlm.txt

# Export cracked passwords to a file
../run/john --show --format=NT ntlm.txt > cracked_passwords.txt

Advanced Techniques

Using Custom Charsets

Create custom character sets in .chr files for incremental mode to target specific password patterns:

# Generate a charset file from cracked passwords
../run/john --make-charset=custom.chr --wordlist=cracked_passwords.txt

# The charset file contains frequency data for character transitions
# Use it in john.conf:
[Incremental:Custom]
File = $JOHN/custom.chr
MinLen = 6
MaxLen = 12
CharCount = 72

# Run with the custom charset
../run/john --incremental=Custom hashes.txt

Loopback and Feedback Attacks

Use previously cracked passwords as a wordlist for further cracking. Cracked passwords often follow similar patterns within an organization:

# First pass: standard wordlist attack
../run/john --wordlist=rockyou.txt --format=NT ntlm.txt

# Extract cracked passwords to a pot file wordlist
../run/john --show --format=NT ntlm.txt | awk -F: '{print $2}' > cracked_words.txt

# Second pass: use cracked passwords as wordlist with rules
../run/john --wordlist=cracked_words.txt --rules=Single --format=NT ntlm.txt

# John's --loopback flag automates this:
../run/john --loopback --format=NT ntlm.txt

Multi-GPU Configuration

When running with multiple GPUs, configure john.conf to distribute workload efficiently:

[Options]
# Specify which OpenCL devices to use (comma-separated indices)
OpenCLDevice = 0,1,2

# Alternatively, specify device types
# OpenCLDeviceType = GPU  # Use only GPUs
# OpenCLDeviceType = CPU  # Use only CPUs
# OpenCLDeviceType = ALL  # Use all available

# Set global work size for GPU kernels (higher = more parallelism)
# Adjust based on your GPU's capabilities
GlobalWorkSize = 4096

# Local work size (must divide GlobalWorkSize evenly)
LocalWorkSize = 64

# Mask mode GPU acceleration
AccelMask = Y

# Wordlist mode GPU acceleration
AccelWordlist = Y

For heterogeneous GPU setups, you may want to run separate John instances:

# Run separate instances for different GPUs
# Terminal 1 - GPU 0
../run/john --format=sha256crypt --wordlist=rockyou.txt --dev=0 hashes.txt

# Terminal 2 - GPU 1
../run/john --format=sha256crypt --wordlist=rockyou.txt --dev=1 hashes2.txt

# Use different wordlists or attack modes per device
../run/john --format=sha256crypt --incremental --dev=0 hashes.txt
../run/john --format=sha256crypt --wordlist=rockyou.txt --rules=Jumbo --dev=1 hashes.txt

Performance Tuning and Optimization

Benchmarking Your System

Always benchmark before starting a large cracking job to understand expected speeds:

# Benchmark all formats (takes time but comprehensive)
../run/john --test

# Benchmark a specific format
../run/john --test --format=sha256crypt

# Benchmark with OpenCL (GPU)
../run/john --test --format=sha256crypt --dev=0

# Benchmark multiple formats for comparison
../run/john --test --format=Raw-MD5,NT,sha512crypt

# Benchmark with specific time limit per format
../run/john --test --format=bcrypt --max-time=30

# Sample benchmark output interpretation:
# Raw-MD5: 45000K c/s  - 45 million cracks per second
# NT:      35000K c/s  - 35 million cracks per second  
# sha512crypt: 2500 c/s - Very slow hash, only 2500 per second

Optimizing for Speed

# Compile with aggressive optimizations
make clean && make -s CFLAGS="-O3 -march=native -mtune=native -funroll-loops" -j$(nproc)

# Use the fastest available SIMD instruction set
# Check CPU capabilities:
cat /proc/cpuinfo | grep -E "avx|sse|flags" | head -5

# Compile with AVX-512 if supported:
make clean && make -s CFLAGS="-O3 -mavx512f -mavx512bw -mavx512dq -march=native" -j$(nproc)

# For GPU cracking, increase work sizes in john.conf:
[Options]
GlobalWorkSize = 8192
LocalWorkSize = 128

# Reduce overhead for fast hashes by increasing buffer sizes
# In john.conf, adjust the [Options] section:
MaxCandsBuffer = 10000000

# For wordlist attacks, pre-sort and optimize your wordlist:
sort -u rockyou.txt | uniq > rockyou_sorted.txt
# Remove duplicates to avoid redundant work
wc -l rockyou.txt rockyou_sorted.txt

Practical Cracking Scenarios

Scenario 1: Auditing Windows NTLM Hashes

# 1. Obtain NTLM hashes (from domain controller dump or local SAM)
# Example file: ntlm_dump.txt with format user:RID:LM:NT::: 

# 2. Extract just the NT hash portion
cat ntlm_dump.txt | awk -F: '{print $1":"$4}' > ntlm_clean.txt

# 3. Run wordlist attack with common mutations
../run/john --format=NT --wordlist=rockyou.txt --rules=Jumbo ntlm_clean.txt

# 4. Follow up with mask attack for any remaining hashes
../run/john --format=NT --mask='?u?l?l?l?l?d?d?d' ntlm_clean.txt

# 5. Check results
../run/john --show --format=NT ntlm_clean.txt

# 6. Generate report
../run/john --show --format=NT ntlm_clean.txt > audit_report.txt
echo "Cracked: $(grep -c ':' audit_report.txt) / $(wc -l < ntlm_clean.txt)"

Scenario 2: Cracking ZIP File Passwords

# 1. Extract the hash from a password-protected ZIP
../run/zip2john protected.zip > zip_hash.txt

# zip2john output format: protected.zip:$zip2$*0*3*0*b6d2...*$/zip2$

# 2. Run a targeted attack
../run/john --format=PKZIP --wordlist=rockyou.txt zip_hash.txt

# 3. If wordlist fails, try mask mode for common patterns
../run/john --format=PKZIP --mask='?d?d?d?d?d?d' zip_hash.txt  # 6-digit PIN
../run/john --format=PKZIP --mask='?d?d?d?d?d?d?d?d' zip_hash.txt # 8-digit

# 4. Use incremental for short passwords
../run/john --format=PKZIP --incremental=Digits --min-length=4 --max-length=8 zip_hash.txt

# 5. Once cracked, the password is displayed
../run/john --show --format=PKZIP zip_hash.txt

Scenario 3: Cracking Linux Shadow Passwords

# 1. Combine passwd and shadow files (requires root access typically)
sudo unshadow /etc/passwd /etc/shadow > combined.txt

# 2. Identify hash types in use
grep -oP '\$\d\$' combined.txt | sort | uniq -c
# $1$ = MD5 crypt, $5$ = SHA256 crypt, $6$ = SHA512 crypt
# $2a$ or $2b$ = bcrypt, $y$ = yescrypt

# 3. Crack SHA512 crypt hashes (slow - plan accordingly)
../run/john --format=sha512crypt --wordlist=rockyou.txt --rules=Jumbo combined.txt

# 4. For bcrypt (even slower), use GPU acceleration
../run/john --format=bcrypt --wordlist=rockyou.txt --dev=0 combined.txt

# 5. Monitor progress periodically
../run/john --status

# 6. Check cracked passwords
../run/john --show --format=sha512crypt combined.txt

Scenario 4: Cracking PDF Passwords

# 1. Extract hash from PDF
../run/pdf2john.pl document.pdf > pdf_hash.txt

# Alternative if pdf2john.pl is not in your build:
../run/pdf2john document.pdf > pdf_hash.txt

# 2. Crack with targeted wordlist
../run/john --format=PDF --wordlist=rockyou.txt pdf_hash.txt

# 3. Common PDF password patterns (often short)
../run/john --format=PDF --mask='?d?d?d?d?d?d' pdf_hash.txt
../run/john --format=PDF --mask='?l?l?l?l?d?d' pdf_hash.txt
../run/john --format=PDF --incremental=Digits --min-length=4 --max-length=10 pdf_hash.txt

Best Practices

1. Always Obtain Proper Authorization

Never crack passwords on systems you don't own or have explicit written permission to test. Password cracking without authorization is illegal in most jurisdictions and violates computer fraud laws. Always document the scope of your engagement and obtain sign-off from system owners before running John the Ripper against production hash files. Keep audit trails of your activities:

# Document your cracking session
echo "Session started: $(date)" > audit_log.txt
echo "Scope: Internal password audit per ticket SEC-2024-001" >> audit_log.txt
echo "Systems: Development server hashes only" >> audit_log.txt

# Run John with logging
../run/john --session=authorized_audit --format=NT --wordlist=rockyou.txt hashes.txt \
    2>&1 | tee -a audit_log.txt

2. Secure Hash Storage and Transport

Hash files are sensitive — treat them as you would treat the passwords themselves. Never store hash files in shared directories, version control systems, or cloud storage without encryption:

# Encrypt hash files at rest
gpg --symmetric --cipher-algo AES256 hashes.txt
# Now only hashes.txt.gpg exists; delete original
shred -u hashes.txt

# Decrypt only when needed for cracking
gpg --decrypt hashes.txt.gpg > hashes.txt

# Use encrypted filesystems for working directories
# Clean up after cracking session is complete
shred -u hashes.txt cracked_passwords.txt
rm -f *.rec *.log

3. Use Appropriate Attack Order

Structure your attacks from fastest to slowest to maximize efficiency:

  1. Single Crack Mode — Exploits username/password similarities; nearly instant
  2. Wordlist Attack — Try known passwords; fast and high-yield
  3. Wordlist + Rules — Apply mutations to wordlist entries; still relatively fast
  4. PRINCE Mode — Probabilistic word combination; effective for human-generated passwords
  5. Mask Attack with Patterns — Target known password composition rules
  6. Incremental Mode (limited length) — Brute-force short passwords
  7. Full Incremental Mode — Last resort for long, complex passwords
# Example attack sequence script
#!/bin/bash

HASHES="ntlm_hashes.txt"
FORMAT="NT"
WORDLIST="/usr/share/wordlists/rockyou.txt"

# Phase 1: Single crack (fast, low hanging fruit)
echo "[*] Phase 1: Single crack mode"
../run/john --single --format=$FORMAT $HASHES

# Phase 2: Wordlist
echo "[*] Phase 2: Wordlist attack"
../run/john --wordlist=$WORDLIST --format=$FORMAT $HASHES

# Phase 3: Wordlist + common rules
echo "[*] Phase 3: Wordlist with rules"
../run/john --wordlist=$WORDLIST --rules=Jumbo --format=$FORMAT $HASHES

# Phase 4: Mask for common patterns
echo "[*] Phase 4: Mask attack - 8 char alphanumeric"
../run/john --mask='[A-Za-z][A-Za-z][A-Za-z][A-Za-z][A-Za-z][A-Za-z]?d?d' \
    --format=$FORMAT $HASHES

# Phase 5: Loopback with cracked passwords
echo "[*] Phase 5: Loopback feedback"
../run/john --loopback --format=$FORMAT $HASHES

# Show final results
echo "[*] Final results:"
../run/john --show --format=$FORMAT $HASHES

4. Monitor and Manage Resources

Password cracking is resource-intensive. Monitor system temperatures and resource usage, especially with GPU acceleration:

# Monitor GPU temperature (NVIDIA)
nvidia-smi --query-gpu=temperature.gpu --format=csv,noheader -l 5 &

# Monitor CPU temperature (Linux)
sensors -f 10 &

# Set CPU affinity to avoid starving other processes
taskset -c 0-3 ../run/john --format=sha512crypt --wordlist=rockyou.txt hashes.txt

# Use nice to lower priority
nice -n 19 ../run/john --format=sha512crypt --incremental hashes.txt

# For long-running jobs, use tmux/screen to persist sessions
tmux new-session -s john_crack
# Inside tmux:
../run/john --session=tmux_session --format=bcrypt --wordlist=rockyou.txt hashes.txt
# Detach with Ctrl+B, D; reattach with: tmux attach -t john_crack

5. Create and Curate Custom Wordlists

Generic wordlists are good starting points, but targeted wordlists dramatically improve success rates:

# Scrape organization-specific terms from public sources
cewl https://company-website.com -w company_terms.txt --depth 2

# Combine multiple sources
cat company_terms.txt employee_names.txt project_codes.txt > targeted.txt

# Sort, deduplicate, and filter by length
sort -u targeted.txt | awk 'length($0) >= 6' > targeted_filtered.txt

# Add common permutations to your wordlist
../run/john --wordlist=targeted_filtered.txt --rules=Jumbo --stdout > expanded_wordlist.txt

# Use expanded wordlist for future attacks
../run/john --wordlist=expanded_wordlist.txt --format=NT new_hashes.txt

# Periodically update with newly cracked passwords
../run/john --show --format=NT ntlm.txt | awk -F: '{print $2}' >> my_wordlist.txt
sort -u my_wordlist.txt -o my_wordlist.txt

6. Understand Hash Speed Implications

Different hash algorithms have vastly different cracking speeds. Plan your attack strategy accordingly:

# Check speed before planning attack scope
../run/john --test --format=bcrypt --max-time=10

# For slow hashes, pre-generate candidate list and estimate time:
../run/john --wordlist=rockyou.txt --rules=Jumbo --stdout | wc -l
# If bcrypt does 10 c/s and you have 10 million candidates:
# Time = 10,000,000 / 10 = 1,000,000 seconds ≈ 11.5 days

# For slow hashes, use --max-candidates to limit scope:
../run/john --format=bcrypt --wordlist=rockyou.txt --max-candidates=50000 hashes.txt

7. Regularly Update and Patch

John the Ripper is actively developed. New hash formats, GPU optimizations, and attack modes are added frequently:

# Update from git regularly
cd john
git pull origin master
cd src
make clean && make -s CFLAGS="-O3 -march=native" -j$(nproc)

# Check version
../run/john --help | head -3

# Verify new formats are available
../run/john --list=formats | wc -l
# Compare with previous count to see new additions

8. Never Crack Live Production Passwords Directly

Always work on copies of hash files in isolated environments. Never run John the Ripper on a live authentication server or production database:

# Create an isolated working environment
mkdir -p /secure/cracking_workspace
chmod 700 /secure/cracking_workspace
cd /secure/cracking_workspace

# Copy hashes to workspace (never modify originals)
cp /path/to/hash_dump.txt ./hashes.txt
chmod 600 ./hashes.txt

# Run all cracking operations from this isolated directory
../path/to/john/run/john --session=isolated_audit hashes.txt

# Destroy workspace after audit is complete
shred -u ./hashes.txt ./john.pot ./john.rec ./john.log
rm -rf /secure/cracking_workspace

9. Document and Report Responsibly

When conducting password audits, report aggregate statistics rather than individual cracked passwords:

# Generate statistics without exposing passwords
../run/john --show --format=NT hashes.txt | awk -F: '{
    pw=$2;
    if(length(pw) < 8) weak_length++;
    if(pw ~ /^[a-z]+$/) lowercase_only++;
    if(pw ~ /^[0-9]+$/) digits_only++;
    total++;
}
END {
    print "Total cracked:",

🚀 Need a reliable AI agent for your project?

Deploy Hermes Agent in 10 minutes. Managed hosting, zero DevOps.

Get Started — $23.99/mo
← Back to all articles