Password Tools Reference

Free reference guide: Password Tools Reference

25 results

About Password Tools Reference

The Password Tools Reference is a comprehensive, searchable guide to password security techniques and tools. It covers hash algorithms (MD5, SHA-256, bcrypt, NTLM, Argon2), password cracking with Hashcat dictionary/rules/mask attacks and John the Ripper, secure password generation using OpenSSL, pwgen, /dev/urandom, and Diceware passphrases, compliance guidelines including NIST SP 800-63B, and secret storage solutions like KeePass and HashiCorp Vault.

Built for penetration testers, security analysts, IT administrators, compliance officers, and CTF participants, this reference provides ready-to-use command-line syntax for hash identification, cracking operations, breach checking via Have I Been Pwned API, and password entropy calculation. Each entry includes the exact tool commands, algorithm parameters, and practical usage examples.

All entries are organized into Hash, Cracking, Generation, Policy, Storage, and Analysis categories. Whether you are conducting a password audit, implementing authentication policies, or studying for security certifications, this cheat sheet provides the essential commands and formulas in one searchable location.

Key Features

Hash algorithm reference — MD5, SHA-256, bcrypt, NTLM, Argon2 with Hashcat mode numbers and command examples
Hashcat attack modes — dictionary (-a 0), rules-based with best64.rule, and mask attacks (?u?l?d?s patterns)
John the Ripper commands for wordlist, rules, incremental, and format-specific cracking operations
Secure password generation using openssl rand, pwgen, /dev/urandom, and Diceware passphrase methodology
NIST SP 800-63B compliance guidelines — minimum length, breach database checks, MFA requirements
Password manager reference for KeePass CLI operations and HashiCorp Vault secret management
Have I Been Pwned API integration with k-Anonymity model for safe breach checking
Password entropy formula (E = L * log2(R)) with practical bit-strength examples and minimum recommendations

Frequently Asked Questions

What password hashing algorithms does this reference cover?

This reference covers MD5 (128-bit, insecure, Hashcat mode 0), SHA-256 (256-bit, mode 1400), bcrypt (adaptive with salt, mode 3200), NTLM (Windows, mode 1000), and Argon2 (memory-hard, recommended for new applications, mode 29200). Each entry includes the exact hashcat mode number and command-line syntax for both hashing and cracking.

How do Hashcat attack modes differ?

Dictionary attack (-a 0) tries words from a wordlist like rockyou.txt. Rules-based attack applies transformations (lowercase, append digits, prepend symbols) using rule files like best64.rule. Mask attack (-a 3) is structured brute force using character class placeholders: ?l (lowercase), ?u (uppercase), ?d (digits), ?s (special), ?a (all). Each mode is suited for different password patterns.

What does NIST SP 800-63B recommend for password policies?

NIST recommends minimum 8 characters (15+ for administrators), checking passwords against known breach databases, not forcing periodic password changes, prioritizing length over complexity rules, and requiring multi-factor authentication (MFA). This represents a shift from traditional complexity requirements toward evidence-based security practices.

How do I calculate password entropy?

Password entropy is calculated as E = L * log2(R), where L is the password length and R is the character set size. For example, 8 lowercase characters = 8 * log2(26) = 37.6 bits, while 12 characters with mixed case, digits, and specials = 12 * log2(95) = 78.8 bits. A minimum of 60 bits is recommended for adequate security against offline attacks.

How does the Have I Been Pwned API work safely?

The API uses a k-Anonymity model: you send only the first 5 characters of the SHA-1 hash of the password. The server returns all hashes starting with those 5 characters, and you check locally whether the full hash appears in the results. This means your complete password or its full hash is never transmitted to the server.

Why is Argon2 recommended over bcrypt?

Argon2 is a memory-hard hash function that requires significant RAM during computation, making it resistant to GPU-based and ASIC-based cracking attacks. While bcrypt provides adaptive cost through work factor rounds, Argon2 adds memory and parallelism parameters, making it the winner of the 2015 Password Hashing Competition and the current best practice for new applications.

What password storage solutions does this reference cover?

This reference covers KeePass/KeePassXC with CLI commands for database operations and password generation using AES-256 or ChaCha20 encryption, HashiCorp Vault for enterprise secret management with dynamic secrets and KV store, and Git credential helpers for developer workflow security including keychain integration.

Is this password tools reference free to use?

Yes, this reference is completely free with no usage limits, no account required, and no data uploaded to any server. All content is rendered locally in your browser. It is designed as a practical quick-reference for security professionals, system administrators, and anyone working with password security.