TechEarl

Hashcat vs John the Ripper: Which Should You Use?

Hashcat or John the Ripper? They overlap but have different sweet spots. I compare them on speed, hash and file-format coverage, the attack engine, and usability, and give a straight answer for when to reach for each. Most people end up using both.

Ishan Karunaratne⏱️ 7 min readUpdated
Share thisCopied
Hashcat vs John the Ripper on speed, hash coverage, file formats, attack engine, and usability, with a clear decision table for when to reach for each.

Hashcat and John the Ripper are the two password crackers worth knowing, and the question "which one" comes up constantly. The honest answer is that they are complementary, not competitors, and most people who do this seriously keep both installed. But they genuinely have different sweet spots, and knowing which to reach for saves real time. Here is the straight comparison, tested on hashcat 7.1.2 and John the Ripper 1.9.0-jumbo-1.

TL;DR

hashcat is GPU-first and the fastest cracker for the vast majority of raw-hash modes; reach for it when you have a GPU and a pile of database hashes, NTLM, or WPA. John the Ripper (jumbo) is CPU-strong, runs anywhere, auto-detects formats, and has unmatched coverage of encrypted file formats via its *2john extractors; reach for it for a locked ZIP, RAR, PDF, or Office file, or when you have no GPU. The practical split: hashcat for raw hashes and Wi-Fi, John for files. Use both.

Speed

This is hashcat's headline. It was built from the ground up for the GPU, and for common fast hashes (MD5, NTLM, SHA-1) it is the fastest tool in existence, often many times faster than John on the same hardware.

John is CPU-first. Jumbo does have OpenCL kernels for some formats, but its center of gravity is the CPU, where it is excellent but cannot match a GPU's raw throughput on fast hashes. The gap narrows on slow hashes (bcrypt, Argon2), where neither tool is fast and the algorithm dominates, and it narrows further when you have no GPU at all, at which point John's mature CPU code is the better engine.

Winner: hashcat, decisively, whenever a GPU is in play.

Hash and format coverage

Both support hundreds of hash types; the difference is what kind.

  • hashcat covers raw and salted password hashes, the Windows and network credential formats, WPA, Kerberos, and disk/wallet formats exhaustively. Its --example-hashes lists several hundred modes.
  • John (jumbo) covers a comparable range of raw hashes and goes far wider on encrypted file and application formats through its *2john extractors: archives, documents, password managers, SSH keys, cryptocurrency wallets, and more.

Winner: tie on raw hashes, John on file formats.

File formats: John's decisive edge

If your target is a file rather than a hash, John wins outright. The *2john family extracts a crackable hash from almost any encrypted format:

bash
zip2john secret.zip > hash.txt
john --wordlist=rockyou.txt hash.txt

There is a 2john tool for ZIP, RAR, 7-Zip, PDF, Office, KeePass, SSH keys, GPG, and a hundred more. hashcat can crack many of these too (if you extract the hash), but John's auto-detecting, one-line workflow is simply faster to drive for a single locked file. Full walkthrough: cracking ZIP, RAR, and PDF passwords.

Winner: John.

The attack engine

Both have dictionary, brute force / mask, and rule-based attacks. hashcat's rules and mask engine is the more powerful and widely-tuned, and its attack modes (combinator, association, the hybrids) are richer. John counters with single crack mode, which builds candidates from the username and is genuinely excellent when your hashes come with account names, and its rule syntax is largely compatible with hashcat's.

Winner: hashcat on raw power, John for the username-aware single mode.

Usability

John tries to help: it auto-detects most formats, so john hash.txt often just works, and running it with no mode cycles through single, wordlist, and incremental automatically. hashcat makes you specify the -m mode and -a attack explicitly, which is more to learn but also more predictable at scale. For a quick one-off, John's auto-detection wins; for a large, scripted, repeatable job, hashcat's explicitness is a feature.

Winner: John for quick jobs, hashcat for scale.

The decision table

Your situationUse
Raw database hashes + a GPUhashcat
NTLM / Active Directory audithashcat
WPA/WPA2 Wi-Fihashcat
A locked ZIP / RAR / PDF / Office fileJohn
KeePass, SSH key, GPG passphraseJohn
No GPU (laptop, server, container)John
Hashes that come with usernamesJohn (single mode) first, then hashcat
Largest, most powerful rules/mask runhashcat
You are not sure what the hash isJohn (auto-detect) or identify it

Just use both

This is not really a rivalry. The workflow that wins is: use John to extract and crack file-format hashes and to run single mode on username-bearing dumps, and use hashcat to throw a GPU at raw hashes and Wi-Fi. They even share rule syntax and wordlists. Install both, learn the hashcat and John cheat sheets, and reach for whichever fits the job in front of you.

Where to go next

Sources

Authoritative references this article was fact-checked against.

Tagshashcatjohn the rippercomparisonpassword cracking

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Software Systems Architect · Senior Software Engineer · Engineering Leadership

Software systems architect and senior software engineer with more than two decades designing, building, and running production software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Now a CTO, though what I write here is drawn from the full arc of that work, across architecture, engineering, and operations, not any single job.

More by IshanLinkedIn
Keep reading

Related posts