Hashcat vs John the Ripper 2026 — The 20x Speed Gap No One Talks About
Mr Elite ··
13 min read
Password cracking speed comparison 2026 — Hashcat vs John the Ripper is one of the most practically important tool comparisons in the penetration testing workflow, and most discussions of it are either vague or outdated. The real answer has three parts: Hashcat is dramatically faster with a GPU; John is competitive and sometimes preferable on CPU-only environments; and for many common assessment scenarios, knowing when to use each — and how to use them correctly — matters more than which one you choose. Today you get the benchmarks, the workflow comparison, and the specific scenarios where each tool is the right choice.
🎯 What This Guide Covers
Real benchmark numbers for NTLM, MD5, bcrypt, and SHA256 on GPU and CPU
When to use Hashcat and when John the Ripper is actually the better choice
The rule-based attack workflow that multiplies wordlist effectiveness 100x
Practical cracking commands for every common hash type found in penetration tests
Cloud GPU cracking when your local hardware is insufficient
⏱️ 45 min read · 3 exercises
📊 What hardware do you use for password cracking?
✅ Your hardware determines which tool and which attack modes are realistic for your cracking operations. CPU-only: John the Ripper plus a targeted wordlist is your most efficient approach. Consumer GPU: Hashcat with rules is viable for NTLM and MD5, bcrypt is still slow. Multiple/high-end GPUs: Hashcat in brute force mode becomes viable for shorter passwords. Cloud GPU: the most cost-effective approach for occasional deep cracking sessions.
The Benchmark Numbers — Real Speed Data for 2026 Hardware
securityelites.com
Speed Comparison — Hashcat (GPU) vs John (CPU) · 2026
Hash Type
Hashcat RTX 4090
John (16-core CPU)
NTLM (mode 1000)
164,000 MH/s
8,200 MH/s
MD5 (mode 0)
68,000 MH/s
4,100 MH/s
SHA1 (mode 100)
23,000 MH/s
2,800 MH/s
SHA256 (mode 1400)
9,800 MH/s
1,200 MH/s
NetNTLMv2 (mode 5600)
7,400 MH/s
420 MH/s
bcrypt cost=5 (mode 3200)
184,000 H/s
95,000 H/s
* Approximate values. GPU benchmarks vary by driver version, cooling, and power limit settings. Run hashcat -b to get your specific hardware benchmarks.
📸 Hashcat vs John the Ripper speed comparison 2026 — Hashcat on GPU is 15-20x faster than John on CPU for fast hash types (NTLM, MD5, SHA1). For bcrypt, the gap narrows significantly because GPU parallelism provides less advantage against the intentionally sequential bcrypt algorithm.
The bcrypt row is the most important insight in the table. For fast hashes like NTLM and MD5, a modern GPU has a massive advantage because it can compute billions of parallel hash operations. Bcrypt is specifically designed to defeat this advantage — its cost factor makes each computation intentionally sequential and memory-intensive, reducing GPU throughput to a fraction of what fast hashes achieve. This is why bcrypt and Argon2 are the correct choices for password storage, and why NTLM (which Windows still uses internally) is so dangerous to expose.
Hashcat Strengths — GPU, Rules Engine, and Attack Modes
Hashcat’s primary advantages are its GPU utilisation, its flexible attack modes, and its rules engine. The rules engine is what separates professional crackers from those running plain wordlists — a single rule can generate hundreds of password candidates from one base word by applying transformations: capitalise the first letter, append numbers 0-9, substitute letters for similar symbols (a→@, e→3), add common suffixes (!, 123, 2024). A quality rule set like OneRuleToRuleThemAll combined with rockyou.txt generates over a billion candidates and cracks most corporate passwords that are not bcrypt-protected.
HASHCAT — ESSENTIAL COMMANDS FOR PENETRATION TESTING
# Benchmark your GPU on all common hash types
hashcat -b
# Crack NTLM hashes (from secretsdump output) with rockyou.txt
# Compare speeds: what is the ratio of Hashcat to John for NTLM on your hardware?
✅ What you just learned: Running the benchmark on your specific hardware gives you accurate expectations for how long real cracking operations will take. On a CPU-only Kali VM, John and Hashcat will be comparable — Hashcat’s GPU advantage disappears without GPU passthrough. On a bare-metal Kali installation with an Nvidia GPU, the benchmark will show Hashcat orders of magnitude faster for fast hashes. The bcrypt benchmark is always the most sobering result — even with a high-end GPU, bcrypt cracking is slow enough that only common dictionary words are practically recoverable, which is exactly why it exists.
📸 Screenshot your NTLM and bcrypt benchmarks for both tools and share in #password-cracking on Discord.
John the Ripper Strengths — Auto-Detection and CPU Optimisation
John the Ripper’s main advantage over Hashcat is automatic hash format detection. Point John at a file of hashes and it identifies the format without requiring you to specify a mode number. This is particularly useful when dealing with mixed hash files from /etc/shadow (which contains multiple hash formats) or when you are unsure what algorithm produced a captured hash. John also handles combined username:hash formats natively — shadow file and NTDS extraction outputs work without pre-processing.
JOHN THE RIPPER — PROFESSIONAL USAGE
# Auto-detect hash format and crack with wordlist
john hashes.txt –wordlist=/usr/share/wordlists/rockyou.txt
# Specify format explicitly
john hashes.txt –format=NT –wordlist=rockyou.txt
# Crack /etc/shadow (supports combined format natively)
unshadow /etc/passwd /etc/shadow > combined.txt
john combined.txt –wordlist=rockyou.txt
# List cracked passwords
john hashes.txt –show
# Rule-based attack with john’s built-in rules
john hashes.txt –wordlist=rockyou.txt –rules=best64
# Incremental brute force (CPU-efficient for short passwords)
john hashes.txt –incremental=digits
# Use multiple CPU cores
john hashes.txt –wordlist=rockyou.txt –fork=8
The Attack Workflows That Actually Crack Passwords
🧠 EXERCISE 2 — THINK LIKE A HACKER (8 MIN)
Design the Optimal Cracking Strategy for Three Different Hash Scenarios
⏱️ Time: 8 minutes · No tools required
For each scenario, select the optimal tool, mode, and wordlist:
SCENARIO 1:
You extracted 500 NTLM hashes from a Windows domain controller
(secretsdump output). You have an RTX 3080 GPU available.
You have 4 hours before the end of the assessment window.
→ Which tool? Which attack mode? Which wordlist/rules?
→ What percentage do you expect to crack?
SCENARIO 2:
You have a Linux /etc/shadow file with 20 SHA512crypt ($6$) hashes.
You have CPU-only access (no GPU available).
You suspect these are server service account passwords.
→ Which tool? Which wordlist? What additional approach for service accounts?
→ Why is brute force not viable here?
SCENARIO 3:
You captured NetNTLMv2 hashes via Responder on the network.
You have 3 hashes. One belongs to a senior manager.
You have a GPU available but only 1 hour.
→ Tool? Mode? Should you try rules? What targeted wordlist additions?
→ What intelligence about the target would you add to the wordlist?
For each scenario, write: Tool, Mode/Format, Wordlist, Rules Y/N, Expected outcome.
✅ Answer key: Scenario 1: Hashcat -m 1000 + rockyou.txt + best64.rule. With RTX 3080 at ~60 billion NTLM/s, rockyou (14M) + best64 (77x multiplier = 1 billion candidates) runs in under a minute. Expect 40-60% crack rate on typical corporate passwords. Scenario 2: John + sha512crypt + rockyou.txt + rules. Service account passwords often follow patterns (ServiceName+Year+!). Create a custom wordlist with the service names found in the network and combine with John’s rules. Brute force is not viable because SHA512crypt at cost 5,000 iterations makes even GPU cracking impractically slow for passwords longer than 4-5 characters. Scenario 3: Hashcat -m 5600. Add targeted wordlist entries: manager’s first/last name, company name, year, location from LinkedIn. Rules: best64 minimum, OneRule if time permits. NetNTLMv2 is slower than NTLM (~7 GH/s vs 60 GH/s on RTX 3080) but targeted personalised wordlist often cracks targeted hashes faster than generic large wordlists.
📸 Share your cracking strategy for each scenario in #password-cracking on Discord.
Hash Type Reference — Which Mode, Which Tool, Which Approach
HASH TYPE QUICK REFERENCE — PENETRATION TESTING
# NTLM (Windows credential dumps — most common in AD assessments)
Cloud GPU Cracking — When Local Hardware Is Not Enough
For assessments where local GPU hardware is insufficient, cloud GPU instances provide temporary access to powerful cracking resources at hourly rates. Vast.ai is the most cost-effective option for security research — it offers spot instances with consumer and datacenter GPUs at rates as low as $0.10-0.50/hour. An RTX 4090 on Vast.ai running Hashcat for two hours costs approximately $0.60-1.00 and would exhaust rockyou.txt with the best64 rule set against NTLM hashes in under a minute.
⚡ EXERCISE 3 — KALI TERMINAL (15 MIN)
Crack a Set of Practice NTLM and SHA512 Hashes Using Hashcat and John
⏱️ Time: 15 minutes · Kali terminal · hashcat + john installed
PRACTICE HASH CRACKING — BOTH TOOLS
# Create practice hash file — NTLM hashes for common passwords
john /tmp/shadow_test.txt –format=sha512crypt –wordlist=/usr/share/wordlists/rockyou.txt
✅ What you just learned: The practice hash cracking demonstrates the complete workflow — create or obtain hashes, select the correct tool and mode, run with a wordlist, view results. The NTLM hashes in the practice file represent common passwords (password, 123456, letmein, and similar) that should crack instantly with rockyou.txt. The SHA512crypt hash demonstrates why John is still used alongside Hashcat — for slow hashes on CPU, John’s optimised code paths are genuinely competitive. In a real assessment, you would replace these practice hashes with the actual NTLM hashes extracted by secretsdump or Mimikatz from the compromised domain controller.
📸 Screenshot cracked passwords from both tools and share in #password-cracking on Discord. Tag #hashcatvsjohn2026
🧠 QUICK CHECK — Password Cracking
You extracted NTLM hashes from a Windows Domain Controller and ran Hashcat with rockyou.txt for 30 minutes — cracking 43% of the hashes. You want to increase the crack rate further without changing the wordlist. What is the most effective next step?
CPU only → JohnCompetitive performance, optimised CPU code paths, better for slow hashes
Unknown hash type → JohnAuto-detects format without specifying mode number
/etc/shadow files → JohnHandles combined user:hash format natively with unshadow
Always use rulesbest64.rule multiplies wordlist effectiveness 77x — run this before any larger wordlist
bcrypt → manage expectationsEven RTX 4090 = 184K/s at cost 5 · only dictionary words practical
❓ Frequently Asked Questions
Is Hashcat faster than John the Ripper?
Yes — for GPU-accelerated cracking, Hashcat is 15-20x faster than John on CPU for fast hashes like NTLM and MD5. For CPU-only environments, John is competitive. For bcrypt, the gap narrows because GPU parallelism provides less advantage against the sequential bcrypt algorithm.
CPU-only environment, unknown hash format (auto-detection), /etc/shadow files with combined user:hash format, or when Hashcat’s GPU drivers aren’t available. John’s –format=auto saves time when you don’t know the hash type.
What is the best wordlist for password cracking in 2026?
rockyou.txt (14M passwords) as the base. Combined with best64.rule or OneRuleToRuleThemAll generates billions of candidates. For corporate targets, supplement with company-specific words: name, location, year, product names.
Can bcrypt passwords be cracked with Hashcat?
Yes, but slowly — RTX 4090 achieves ~184K/s at cost 5. At cost 12 (modern minimum), that drops to ~580/s. Only dictionary words are practically recoverable. bcrypt’s design specifically defeats GPU cracking advantage.
Pass the Hash & Pass the Ticket 2026— The prerequisite step that produces the NTLM hashes you crack with Hashcat — understanding how hashes are extracted from Windows systems contextualises why cracking them matters.
Password Cracking Hub— The complete password cracking category covering rainbow tables, mask attacks, combinator attacks, and rule creation in addition to the wordlist attacks covered in this comparison.
Kali Linux Commands Tool— The complete Hashcat and John the Ripper command reference with every flag, mode number, and example syntax — the companion reference to this conceptual comparison guide.
Hashcat Official Wiki— The complete Hashcat documentation covering all attack modes, rule syntax, performance optimisation, and the full hash mode number catalogue for all 300+ supported types.
John the Ripper GitHub Repository— The official John the Ripper source with documentation for all supported hash formats, rule syntax, and the jumbo community release that adds hash format support beyond the core version.
ME
Mr Elite
Owner, SecurityElites.com
The most important lesson I learned about password cracking came from a Windows Active Directory assessment where I had 2,800 NTLM hashes and a four-hour window before my client needed a preliminary findings summary. Plain rockyou.txt cracked about 800 of them in the first ten minutes. I switched to rockyou.txt with best64.rule and cracked another 600 in the next twenty minutes. Then I added a custom wordlist with the company name, their city, and their main product lines combined with year and symbol rules — and cracked another 400. Total crack rate: 64% in under two hours. The remaining 36% were either bcrypt-equivalent strength, genuinely random, or long passphrases. The lesson: the wordlist is the foundation, but the rule set is what turns 45% into 64%. Every penetration tester who does credential cracking regularly builds their own company-specific wordlist as part of the OSINT phase. It is consistently the highest-return ten minutes of preparation in any Windows assessment.
Leave a Reply