Jump to a question
OnlineHashCrack is a professional GPU-accelerated password recovery and security auditing platform. We serve two core use cases:
- Password strength auditing — test the resilience of credentials against real-world attack techniques as part of security assessments, compliance exercises, and penetration tests.
- Authorized password recovery — recover access to encrypted files, archives, or credential stores when the original password has been lost, for users who own the data or hold explicit authorization.
OnlineHashCrack has an established track record supporting penetration testers, forensic professionals, incident response teams, and law enforcement agencies. All use must comply with our Terms and Conditions. Any data submitted must be legally obtained.
We support a wide range of hash types, encrypted files, and password-protected containers — including operating systems, archives, Office documents, PDFs, and WiFi captures.
The full list is at hash-acceptance.
No. OnlineHashCrack does not recover passwords for email accounts, social networks, cloud services, or any third-party online platform.
We process only hashes or encrypted files submitted by users who own the data or hold documented authorization from the data owner. Attempting to recover credentials for accounts you do not control is illegal and strictly outside our scope.
The Service is structured around three access tiers:
- Tier 1 (Email-verified): individuals who have forgotten a password to their own file or device, and anyone testing the strength of credentials they control.
- Tier 2 (Phone or payment-verified): users who need access to a wider algorithm set for more advanced recovery or audit work.
- Tier 3 (Organizational / domain-validated): verified organizations, penetration testing firms, forensic professionals, incident responders, and law enforcement agencies with an active mandate. This tier unlocks the full algorithm catalogue and bulk processing capabilities.
The Terms and Conditions apply to all users regardless of tier. Every Submission must be legally authorized.
Our infrastructure combines GPU clusters, large private and public wordlists, brute-force, and hybrid attack strategies:
- Processing time: from a few seconds to 3 days depending on hash type and complexity
- Priority option to jump the queue if you are in a hurry
- Upload your own custom wordlists for targeted attacks
- API access for automated and bulk submissions
Weak passwords are recovered quickly. Check how secure your password is or read how the Service works.
No. Recovery is not guaranteed. A sufficiently long password or one using an uncommon character set may not be recoverable with current resources. The main factors are:
- Password length
- Character set (lowercase only, mixed case, digits, symbols)
- Hash algorithm and iteration count
We recover a large proportion of real-world passwords, because most are weaker than their owners realize. The absence of a result is not grounds for a refund of consumed GPU resources — see the refund policy.
It depends on the hash type and complexity. Some recoveries are free; others require payment. Full details at pricing.
| Status | Meaning |
|---|---|
| Found | The password was recovered. From a security standpoint, this indicates the credential was insufficiently strong. |
| Not found | The password was not recovered with the current attack configuration. You can choose another attack (wordlist or bruteforce) to go further and try more candidates. |
| In progress | Processing is under way. No one can predict the outcome at this stage — please wait. You will receive an email notification if the password is recovered. |
- You can test the Service for free before paying anything
- We have published customer testimonials
- We work with law enforcement agencies, forensic professionals, and enterprise security teams
- We verify each recovered password independently before you pay to unlock it — you only pay if the result is correct
- If the recovered password we delivered and you paid to unlock turns out to be incorrect, we will issue a full refund — no questions asked
From a few seconds to 3 days, depending on hash type and complexity.
If you are in a hurry, use the Priority option from your dashboard to push your task to the front of the queue. See how it works.
As soon as a password is recovered, we send you an email with a link to unlock the result from your dashboard. Check your spam folder if you do not receive it.
Your password contains non-ASCII or non-printable characters, so we encode it in hexadecimal surrounded by "HEX[]".
Paste the hex string into any hex-to-ASCII converter to recover the original characters, or consult asciitable.com. On Windows, such characters can be typed using Alt+numpad codes.
We verify each recovered password before notifying you. The following rules apply:
- Unlock fees (paying to reveal a recovered password): a refund may be issued at our discretion if the submitted hash was demonstrably invalid.
- Priority queue fees: non-refundable once your task has entered the priority queue, regardless of outcome.
- Custom wordlist and brute-force fees: non-refundable once GPU resources have been consumed, regardless of whether a password was recovered. These fees compensate infrastructure time, not guaranteed results.
Before requesting a refund, read how to check results. To raise a refund request, use the contact page with full task details. Full policy in Terms §9.
You can delete your tasks at any time from your dashboard. Automatic deletion applies as follows:
- Active account data and submitted hashes: up to 12 months from last activity
- Recovered passwords (Outputs): up to 12 months from the recovery date
- Uploaded source files (encrypted documents, WPA captures): deleted immediately after hash extraction — never retained beyond that operation
- Inactive accounts (no login for 12 consecutive months): permanently deleted, including all data
- Non-activated accounts: deleted 15 days after registration
Full details in the Privacy Policy.
Access is controlled through a three-tier verification system:
- Tier 1 — Email verification (mandatory): required at registration. Grants access to core hash submission and recovery features. The address must be valid, accessible, and non-disposable. Accounts not verified within 15 days are permanently deleted.
- Tier 2 — Phone or payment verification: verifying a phone number or completing a Stripe payment unlocks additional algorithms and enhanced features.
- Tier 3 — Organizational / domain validation: available to verified organizations, penetration testing firms, forensic professionals, and law enforcement agencies. Requires active vetting. Grants full platform access including the most resource-intensive algorithms. Law enforcement agencies are encouraged to contact us directly for dedicated access and preferential arrangements.
The Terms and Conditions apply to all users regardless of tier.
- WPA captures: submit via our public API, integrated with the wlancap2wpasec tool.
- Hashes and files: available through the authenticated API, accessible from your account once logged in.
We recognize and reward responsible disclosure of exploitable vulnerabilities that put our platform, users, or data at risk (e.g. SQLi, RCE, LFI).
Out of scope: DDoS, email-based attacks, automated scanner output without a working proof of concept.
See our Coordinated Vulnerability Disclosure Policy (CVDP). To report a finding, use the contact page.