My buddy works in local city government. His IT guy asked him to run a [Hashcat](https://www.hashcat.net) benchmark on his work and personal PC. My buddy wasn’t aware of Hashcat so he asked me what it was all about. I told him it was essentially for password cracking, and suggested he investigate as to why his IT guy needed this information.
The IT guy said from time to time, he likes to collect people’s password hashes and try to crack them to see if anyone that he supports has weak passwords. I’m new in the IT field but have a pretty good technology background… but I told my friend that this behavior sounded very suspicious.
But since I am new in the field, I wanted to differ to the wisdom of some professionals, what do you guys think about this?