How many times have we forgotten a particular application password? Also, ever wondered why most applications insist on having an upper case, lower case, a special character, and a number. It is to reduce the vulnerability of the password to the hackers. Password cracking is one of the common ways to hack into a person’s secured information illegally. Hence, a tool to defend the same is needed. That’s the reason Hashcat was introduced. It is a password cracker application to check the security of your password. Alternatively, it is also called a password recovery tool. 

  1. Hashcat Uses
  2. How does hashcat work?
  3. Hashcat examples

1. Hashcat Uses

Even though it is a password retrieval tool but the purpose it is used for makes all the difference. Unfortunately, it is used for not only legitimate but illegal purposes as well. Let’s find out how it benefits legally, though :

  • Strength of a Password 

This tool helps the users to check the tenacity of their passwords for important applications and keep their information secure from hackers. 

  • Spying for criminal transactions

While it is used by criminals to undergo unauthorized transactions, it can be used against the criminals to get a hold of their illegal transactions. It can be used to spy on any person who is under the scan for criminal activities.

  • Testing and Review of Internal control systems 

Companies enter into a contract with penetration testers who try to hack the companies passwords intentionally to check their strength. Such penetration users enter the company network to recover stolen passwords or check any holes in the password internal control.

2. How does hashcat work?

  • The first and foremost, and most simple way is to guess the password. It can be done through the tools like Dictionary, brute-force attacks, rainbow tables, lookup tables, etc. 
  • After this, the readable passwords are converted into multiple hashes with different hash keys like SHA, WHIRLPOOL, MD5, etc.
  • Then these hashes are compared to the actual hashes that are being cracked, and if they match then, that means the password is revealed. Otherwise, the guessing game continues. 

3. Hashcat examples


It involves an uppercase, a lower case, a symbol, and numbers. So, for example, if we have a password of Deal303, then that is based on 7 characters, and we would have to try and find the password with similar combinations, which would be approximately 95 * 7 combinations  Since we have numbers at the end it does eliminate certain possibilities. Also, it’s a common fact most of the time, uppercase letters are used in first letters rather than second or third. 

This hashcat attack basically works on the assumption that it already knows about the behavioral pattern of humans while choosing passwords.

With mask attack, you can input the masking options you want and specify the same. Then the hashcat will be applied to the particular specified mask files, and attacks will run accordingly. 


A combinator attack involves two dictionaries or wordlist, and words are taken from each of them and merged together to form a password. This also works on the human psychology that humans, while choosing a password, tend to merge two words. A  hyper or exclamation point can also be used while merging the words. For example, a combinator attack would use the following words from wordlist :




 And from the second wordlist, the following words were used :




The combinator attack would give you the following password possibilities: slowtruck , small bicycle. It Can also be used in reverse order even if it doesn’t make sense, like truckblue or scootersmall. We can also get password possibilities like small-truck, slowslow, or trucktruck.


This hashcat attack basically involves the use of the most common terms, which are used in a dictionary or a wordlist like names of pets. Under this attack, most successful words which are likely used as a password are generated by the program. These attacks are mostly better as they take lesser time due to lesser combinations needed. But what we need to remember it can be used for only common words. But if the password is uniquely designed, then such an attack won’t be successful. 


Cyber attacks will occur one way or another. Since Hashcat usually works on human psychology, the conclusion is to try and avoid using your personal information and reset your password regularly. Alternatively, it can always be prevented through the implementation of hashcat software to check your password strength.  Hashcat has more than 200 optimized hashing options, and that’s the reason it is not only one of the world’s fastest but also one of the most advanced and upgraded password retrieval tools. Since it’s compatible with multiple operating systems like Windows, Linux, OSX Native binaries, and multi algorithms, Hashcat has become really popular for breaking down complex passwords.

So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give them an edge in this competitive world.



Are you ready to build your own career?