PwdHash is a widely-used tool for client-side password hashing. Originally released as a browser extension, it replaces the user’s password with a hash that combines both the password and the website’s domain. As a result, while the user only remembers a single secret, the passwords received are all unique for each site. We demonstrate how the hashcat password recovery tool can be extended to allow passwords generated using PwdHash to be identified and recovered, revealing the user’s master password. A leak from a single website can therefore compromise a user’s account on other sites where PwdHash was used. We describe the changes made to hashcat to support our approach, and explore the impact this has on speed of recovery.