John the Ripper password cracker review

In our John the Ripper password cracker review, we test whether the tool first developed in 2002 is still relevant today

John the Ripper's homepage
(Image: © John the Ripper)

IT Pro Verdict

John the Ripper is one of the best tools that you’ll find for cracking passwords. It’s highly versatile, well supported, and free, and it should be in every security professional’s toolkit.

Pros

  • +

    Can crack a huge range of different password types

  • +

    Available for 15 operating systems

Cons

  • -

    Takes some setting up

  • -

    Requires knowledge of using the command line

John the Ripper password cracker is a security software tool that’s been in active use since it was first developed in 2002. It works on 15 operating systems, including Windows, macOS, and Linux, and combines several different password cracking functions into one package, making it one of the most frequently used password crackers today.

If you often lose or forget your passwords, the best password managers can help you manage them. But if you need to recover a password, such as for an operating system login, John the Ripper's password cracker may be just the ticket.

John the Ripper password cracker: Plans and pricing

John the Ripper's pricing information

You can choose John the Ripper Pro, which has a simpler initial installation and technical support (Image credit: John the Ripper)

John the Ripper is a free tool. You can download the “core” version or the “jumbo” version. The jumbo version includes several extra command-line options and can be used to crack a broader range of password types (e.g. password-protected PDFs, RAR archives, 1Password, Bitcoin, LastPass, and more).

On Linux or macOS, you can choose John the Ripper Pro. This is a pre-compiled native version of the software that’s easier to install than the core or jumbo versions. John the Ripper Pro is automatically configured to recognise multi-core processor architectures, so it will perform well on modern architectures without further modification.

You can get John the Ripper Pro for £32.47. A Pro license with free future upgrades costs £73.11, and a license with one year of email support costs £150.36.

John the Ripper password cracker: Features

command line text for John the Ripper

By using the –list=formats command line argument, you can see all the hash formats that your installation supports (Image credit: Openwall)

John the Ripper supports a massive list of different password hash types. The jumbo version can crack over 411 types of passwords, from Unix passwords to databases and from iTunes backups to Wi-Fi passwords.

John the Ripper works on the hash of the password, not the file itself. For example, you can’t feed John the Ripper an encrypted Word document and expect to gain access to it. However, the software comes with a long list of supplemental functions that you can use to extract the password hash from your file, so John the Ripper can work out the original password from the hash.

command line text for cracking Windows login passwords via John the Ripper

John the Ripper can be used to crack Windows login passwords (Image credit: Openwall)

Running John the Ripper can be as simple as typing “john mypassword.txt”. But to speed things along, you can add more command line arguments to specify how the software should run.

For example, you can set a particular word list and run a dictionary attack. If you know a few details about the password, like that it only includes lowercase letters, you can limit John the Ripper to search combinations using only those letters.

command line text for using John the Ripper with an NVIDIA GPU

Using an NVIDIA GPU with John the Ripper requires downloading around 4GB of additional dependencies (Image credit: Openwall)

If you have a modern PC, John the Ripper has options to utilise its hardware to speed up the cracking of complex hashes. For example, you can set John the Ripper to use multiple CPU cores by adding the --fork argument.

You can also use the power of a modern graphics card to crack passwords faster. Not all hash formats can be cracked using a graphics card, however, and you’ll need to compile a few more software dependencies to get GPU cracking to work. But cracking passwords using your graphics card can be up to 10 times faster than using the CPU.

John the Ripper password cracker: Interface and in use

command line text for John the Ripper (user interface)

Getting started with John the Ripper typically means compiling the software from source (Image credit: Openwall)

John the Ripper is aimed at computer users who are comfortable with using the command line and compiling software from source.

Installation depends on your operating system and requirements, but it typically first necessitates downloading the source code and any required dependencies. Then, you compile the software by running a number of commands in order.

If you prefer to use a graphical user interface (GUI), there’s a cross-platform open-source GUI for John the Ripper called Johnny.

John the Ripper password cracker: Support

John the Ripper's online support page

The John the Ripper wiki has step-by-step tutorials on using the tool (Image credit: John the Ripper)

John the Ripper has an excellent wiki, with step-by-step tutorials on how to build the software and use it to crack passwords. Though it’s aimed at intermediate users who are comfortable using the command line, all the steps that you need to take to get the software running are well laid out.

There are also several mailing lists for John the Ripper, which average around 30 to 40 emails per month. You can browse queries and replies sent to the mailing list all the way back to 2005.

For more official support, you can opt for John the Ripper Pro. The £73.11 package includes installation support by email for the first month, and the £150.36 package includes email support for a year.

Alternatives to John the Ripper password cracker

For a Windows program for cracking password hashes, consider Hash Suite. It has a modern graphical interface, performs well, and can crack 13 different hash types, including LMHash, NTHash, MD5, and SHA variants.

One of John the Ripper’s closest competitors is Hashcat. Like John the Ripper, it runs from the command line, and can crack a massive list of password types. But Hashcat has better support for using your graphics card (GPU) to crack passwords. So, if you have a powerful GPU, Hashcat is typically faster than John the Ripper.

John the Ripper password cracker: Final verdict

John the Ripper deserves its position as a must-have password cracking tool for system administrators.

John the Ripper isn’t easy to get started with for a typical end user, as there are several steps that you’ll need to take to get it running. But it’s not designed for occasional users who need to recover a password; it’s a comprehensive tool for cracking a wide range of hash types. This is what John the Ripper excels at.

Richard Sutherland

Richard brings more than 20 years of computer science, full-stack development and business operations experience to ITPro. A graduate in Computer Science and former IT support manager at Samsung, Richard has taught courses in Java, PHP and Perl, and developed software for both private businesses and state organisations. A prolific author in B2B and B2C tech, Richard has written material for Samsung, TechRadar Pro, and now ITPro.