1. Dictionary Attack
John takes a huge list of common words. It turns every word into a hash and checks if it matches your hash. If your password is a normal word like "monkey" or "admin", John will find it in seconds.
Security Tool Guide
What is John the Ripper?
It sounds like a movie villain, but it is actually a computer tool. John the Ripper is a tool used to test if passwords are easy to guess. It helps you find the weak locks on your digital doors.
How Computers Save Passwords
Good computers never save your real password. If your password is "apple123", the computer changes it into a long, messy string of letters and numbers.
This messy string is called a Hash.
When you log in, the computer turns your typed word into a hash. Then, it checks if it matches the saved hash. If they match, you get in.
EXAMPLE
Your Real Password:
apple123
What the Computer Saves (Hash):
5f4dcc3b5aa765d61d8327deb882cf99
How John Opens the Lock
John the Ripper does not guess the password on the website screen. Instead, it takes the list of saved "hashes" and tries to guess what words made them. It uses three main ways to do this.
2. Rule-Based Attack
People like to think they are tricky. They change "password" to "P@ssw0rd1". John knows this trick. It takes normal words and adds numbers, capital letters, and symbols to them automatically to see if they match.
3. Brute Force Attack
If the first two ways fail, John tries everything. It tries "a", then "b", then "c"... all the way to "zzzzzzzz". This takes a very long time, but it will eventually guess any short password.
root@computer:~# john --wordlist=passwords.txt secret_hashes.txt
Loaded 3 password hashes with 3 different salts
Press 'q' or Ctrl-C to abort, almost any other key for status
apple123 (user_admin)
P@ssw0rd! (user_guest)
2g 0:00:00:05 DONE (2026-04-14 11:27) 0.3802g/s 3004p/s 3004c/s 3004C/s
123456..kitty
Use the "--show" option to display all of the cracked passwords reliably
Where Does John Get the Words?
For a "Dictionary Attack" to work, John needs a book of words. These are called Wordlists.
Hackers do not just use the normal dictionary. They use massive lists of passwords that were stolen from real websites in the past.
The most famous wordlist in the world is called rockyou.txt. It has over 14 million real passwords that people actually used. If your password is in that file, John will guess it instantly.
rockyou.txt
123456
password
12345678
qwerty
123456789
... (14 million more lines)
What is a "Salt"?
If two people use the password "apple", their messy hash will look exactly the same. To fix this, good systems add "Salt" before making the hash.
Bad: No Salt
Both hashes are identical. A hacker knows both people used the same password.
User A: apple → 5f4dcc3b
User B: apple → 5f4dcc3b
Good: With Salt
The computer adds random letters to the password first. The hashes look totally different!
User A: apple+X9 → 8a9e7f12
User B: apple+Z1 → 2b4c6d88
John the Ripper is smart. It knows how to read the salt and will include it when trying to guess the hash. It just makes John's job a little harder.
Where Are Hashes Hidden?
Computers do not leave password hashes lying around in the open. On Linux computers, they are
locked inside a very special file called /etc/shadow.
A normal user cannot even read this file. You must be the absolute boss of the computer (the "root" user) to open it. Hackers must first steal this locked file before they can give it to John the Ripper.
4. Mask Attack (A Smarter Guess)
Sometimes a hacker knows a clue about your password. Maybe the company requires "One capital letter and four numbers". Instead of trying every letter in the alphabet, John the Ripper can use a "Mask".
The Hacker tells John to only guess this shape:
Letter
?u
Letter
?l
Letter
?l
Number
?d
Number
?d
This mask tells John to try: One uppercase letter, two lowercase letters, and two numbers (Like "Dog99"). This saves John years of useless guessing.
John the Ripper
John mainly uses your computer's brain, called the CPU. It is fantastic for tricky rules and handling many weird types of password locks all at once. It is like a multi-tool.
Hashcat (The Rival)
Another famous tool is called Hashcat. Hashcat uses your computer's Graphics Card (GPU)—the part used for video games. For simple brute-force guessing, Hashcat is usually much faster than John.
John the Ripper "Jumbo"
The original tool was made by a man named Solar Designer in 1996. Over the years, other security workers wanted it to break even more types of locks.
They created a massive upgrade called the "Jumbo Patch". The Jumbo version adds support for hundreds of new password types, including opening locked ZIP files, PDF documents, and Wi-Fi network passwords.
How it Happens in Real Life
1
A bad hacker finds a weak spot on a company's website.
2
The hacker downloads the company's database, which includes all the customer password hashes.
3
The hacker turns off their internet. They open John the Ripper on their own powerful computer at home.
4
John guesses 80% of the customer passwords in a few hours because people use weak words like "password123".
Where Can You Install It?
John the Ripper is completely free. It is a command-line tool, which means there are no fancy buttons to click. You type commands on a black screen. It works on almost everything:
Linux
Windows
macOS
Kali Linux (Built-in!)
The Ultimate Defense
Even if you use a weak password and John the Ripper guesses it, there is a tool that stops the hacker completely: Two-Factor Authentication (2FA).
2FA means the website will text your phone or ask for a special code from an app. Even with your password, the hacker cannot get in because they do not have your physical phone in their hand.
*123*
The Ethics Rules
Because this tool is so powerful, there are strict rules about how professionals are allowed to use it. If you break these rules, it is a serious crime.
Always Legal
Using it on your own computer files to see if you forgot a ZIP password, or if your boss asks you to test the company's security (with written permission).
Highly Illegal
Running it on files stolen from a website, trying to guess a friend's Wi-Fi password without asking, or testing a network you do not own.
It Breaks Many Locks
Different computers use different math to make hashes. Think of these like different brands of padlocks. John the Ripper is flexible. It can read and break many different brands of hashes.
- Windows Passwords
- Mac Passwords
- Website Databases (MD5, SHA)
- Locked ZIP and PDF files
Speed Matters
John is famous because it is incredibly fast. A normal computer running John can guess millions of passwords every single second.
Who Uses John the Ripper?
System Admins (Good Guys)
They use John to check their own company. If John can guess an employee's password, it means the password is too weak. The admin will tell the employee to change it before a bad guy finds it.
Hackers (Bad Guys)
If a hacker steals a list of password hashes from a website, they will run John the Ripper on their own computer to turn those messy hashes back into real passwords so they can steal accounts.
How to Beat John the Ripper
John is fast, but it is not magic. It hates length. The longer your password is, the longer it takes John to guess it. Every extra letter adds years to the guessing time.
Weak (Broken in Seconds)
- Rover123
- P@ssword
- Spring2026
- admin
Strong (Takes Years to Break)
- MyDogLovesEatingBlueApples!
- TheSunIsVeryHotToday44
- WalkingToTheStoreForBread
Rule: Use Long Sentences!
Quick Summary
| Question | Answer |
|---|---|
| What does it do? | It guesses passwords to see if they are weak. |
| Does it guess on the website? | No, it works offline using stolen data (hashes). |
| Is it legal? | Yes, if you use it on your own computers to test your own security. |
| How do I stop it? | Make your password a very long sentence. |