I’m starting to take a look at Hashcat, and will soon take a look at Oclhashcat. It won the Defcon password cracking challenge, so I suppose it might be quite good 🙂 There is much to say about those two programs, but I will just comment their performances.
I did a not too representative benchmark. On raw MD4, MD5 and SHA1 I ran a 50M dictionnary on 10k passwords, and for Microsoft cached hashes and crypt MD5 I used the sample hashes provided by Hashcat.
The result is that if you use GCC, hashcat will be much faster than John. On the other hand, with ICC, jumbo patch and the fast MD5 code (used in raw MD5 and crypt MD5), John is slightly faster than Hashcat for raw MD5 and raw SHA1, half as fast for Microsoft cached hashes, and 30% slower for raw MD4. On the other hand it is 2.8 times faster for crypt MD5.
Obviously, both program should mostly be compared by their features, and not just raw speed.
This is all with hashcat only using a single thread.