May 22, 2021

Is this regular practice?

My buddy works in local city government. His IT guy asked him to run a [Hashcat]( benchmark on his work and personal PC. My buddy wasn’t aware of Hashcat so he asked me what it was all about. I told him it was essentially for password cracking, and suggested he investigate as to why his IT guy needed this information.

The IT guy said from time to time, he likes to collect people’s password hashes and try to crack them to see if anyone that he supports has weak passwords. I’m new in the IT field but have a pretty good technology background… but I told my friend that this behavior sounded very suspicious.

But since I am new in the field, I wanted to differ to the wisdom of some professionals, what do you guys think about this?



If he’s not using his personal PC for work, I for sure would not be turning my personal password hashes over.

Also, if IT wants to make sure you’re using secure passwords for systems and apps they control, they should set the requirements where they want them.

At a minimum, I’d be looking for more info first.


This is not uncommon, but still dumb.

Knowing if staff have passwords that can be easily cracked is something I have done in the past.

But as others say, set a good policy in the software and use education.

Have some admin knowing the clear text passwords of many staff seems like a bad idea.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.