How Passwords Are Cracked: Methods, Tools, and Protection
Learn how passwords are cracked through brute force, dictionary attacks, rainbow tables, and social engineering. Understand password hashing and how to protect accounts.
How Passwords Work Behind the Scenes
Understanding how passwords are cracked begins with understanding how they are stored. Responsible systems never store passwords in plain text. Instead, when a user creates an account, the password is processed through a hash function — a one-way mathematical algorithm that converts the password into a fixed-length string of characters called a hash. When the user logs in, the system hashes the entered password and compares it to the stored hash. If they match, access is granted. Password cracking is the process of discovering the original password from its hash, and it represents one of the most common vectors in cybersecurity breaches. Over 80% of data breaches involve compromised credentials, according to the Verizon Data Breach Investigations Report.
Password Hashing Algorithms
The security of stored passwords depends heavily on which hashing algorithm is used. Different algorithms offer vastly different levels of protection:
| Algorithm | Type | Speed | Security Level |
|---|---|---|---|
| MD5 | Cryptographic hash | Extremely fast (~10 billion hashes/sec on GPU) | Obsolete — collisions found, too fast for password storage |
| SHA-1 | Cryptographic hash | Very fast (~5 billion hashes/sec on GPU) | Deprecated — collision attacks demonstrated in 2017 |
| SHA-256 | Cryptographic hash | Fast (~1 billion hashes/sec on GPU) | Secure for data integrity but too fast for passwords |
| bcrypt | Key derivation function | Deliberately slow (configurable work factor) | Good — designed for password hashing |
| scrypt | Key derivation function | Slow and memory-intensive | Good — resistant to hardware-based attacks |
| Argon2 | Key derivation function | Configurable time and memory cost | Excellent — winner of Password Hashing Competition (2015) |
The critical difference is speed. General-purpose hash functions like MD5 and SHA-256 are designed to be fast, which makes them terrible for password storage — an attacker can test billions of password candidates per second. Purpose-built password hashing functions like bcrypt and Argon2 are deliberately slow and resource-intensive, making brute force attacks orders of magnitude harder.
Password Cracking Methods
Brute Force Attacks
A brute force attack systematically tries every possible combination of characters until the correct password is found. For a password using lowercase letters, uppercase letters, digits, and symbols (95 printable ASCII characters), the total combinations are:
- 6-character password: 95^6 = ~735 billion combinations
- 8-character password: 95^8 = ~6.6 quadrillion combinations
- 12-character password: 95^12 = ~5.4 x 10^23 combinations
Against a fast hash like MD5 on modern GPU hardware (capable of ~100 billion hashes per second), a 6-character password falls in seconds. An 8-character password may take hours to days. A 12-character password becomes computationally infeasible — requiring millions of years. This is why password length is the single most important factor in password strength.
Dictionary Attacks
Rather than trying every possible combination, dictionary attacks use lists of common passwords, words, names, and phrases. These attacks are effective because humans tend to choose predictable passwords. Analysis of leaked password databases consistently reveals that the most common passwords include "123456," "password," "qwerty," and similar easily guessed strings. Dictionary attacks also apply common transformations — capitalizing the first letter, appending numbers, replacing letters with similar characters (e.g., "p@ssw0rd") — because these patterns are also highly predictable.
Rainbow Table Attacks
A rainbow table is a precomputed lookup table that maps hash values back to their original passwords. Instead of computing hashes in real time, an attacker simply looks up the stolen hash in the table. Rainbow tables can crack any password within their scope (e.g., all passwords up to 8 characters using a specific character set and hash algorithm) almost instantly.
The defense against rainbow tables is salting — adding a unique random string (salt) to each password before hashing. Since each user's password has a different salt, an attacker would need a separate rainbow table for every possible salt value, making the approach infeasible.
Credential Stuffing
When login credentials are stolen from one service through a data breach, attackers automatically test those username-password combinations against thousands of other websites and services. This succeeds because an estimated 65% of people reuse passwords across multiple accounts. Credential stuffing is not technically password cracking — it exploits password reuse rather than cryptographic weakness.
Social Engineering and Phishing
- Phishing: Creating fake login pages that capture credentials when users enter them, believing they are on a legitimate site
- Pretexting: Impersonating IT support or other authority figures to trick users into revealing passwords
- Shoulder surfing: Physically observing someone entering their password
- SIM swapping: Convincing a mobile carrier to transfer a victim's phone number, then intercepting SMS-based two-factor authentication codes
Real-World Cracking Hardware
Modern password cracking leverages GPU (Graphics Processing Unit) clusters. A single high-end GPU can compute billions of MD5 hashes per second. Purpose-built cracking rigs with 8+ GPUs can achieve tens of billions of hashes per second. Tools like Hashcat and John the Ripper are widely used open-source password recovery tools that support hundreds of hash types and attack modes.
| Password Type | Hash Algorithm | Time to Crack (8-char, mixed case + digits) |
|---|---|---|
| Simple password | MD5 (unsalted) | Minutes to hours |
| Simple password | SHA-256 (unsalted) | Hours to days |
| Simple password | bcrypt (cost 12) | Centuries |
| Random passphrase (4 words) | MD5 (unsalted) | Years to decades |
| Random passphrase (4 words) | bcrypt (cost 12) | Effectively impossible |
How to Protect Your Passwords
- Use long passwords or passphrases: A random 4-5 word passphrase (e.g., "correct horse battery staple") is both easier to remember and harder to crack than a short complex password
- Never reuse passwords: Each account should have a unique password to prevent credential stuffing attacks
- Use a password manager: Tools like Bitwarden, 1Password, or KeePass generate and store unique, random passwords for every account
- Enable multi-factor authentication (MFA): Even if a password is compromised, MFA requires an additional verification step — preferably a hardware key (FIDO2/WebAuthn) or authenticator app rather than SMS
- Check for breaches: Services like Have I Been Pwned allow users to check whether their email or passwords have appeared in known data breaches
For Developers: Secure Password Storage
- Always use a purpose-built password hashing function (Argon2id, bcrypt, or scrypt) — never MD5, SHA-1, or SHA-256 alone
- Always use unique, random salts per password (modern libraries handle this automatically)
- Set work factors high enough to make each hash computation take at least 100-250 ms on your server hardware
- Implement account lockout or rate limiting to prevent online brute force attacks
- Enforce minimum password length (12+ characters recommended by NIST SP 800-63B) but avoid arbitrary complexity rules that encourage predictable patterns
Related Articles
cybersecurity
How Encryption Works: Symmetric, Asymmetric, and the Math Behind Digital Security
A comprehensive explanation of how encryption works — symmetric and asymmetric encryption, the mathematics of public-key cryptography, TLS/HTTPS, end-to-end encryption, and how encryption protects data in the modern digital world.
8 min read
cybersecurity
How Two-Factor Authentication Works: Security, Types, and Why It Matters
A comprehensive guide to two-factor authentication (2FA) — how it works, the different types (SMS, authenticator apps, hardware keys, passkeys), the security tradeoffs between them, and why enabling 2FA is one of the most important security steps anyone can take.
8 min read
cybersecurity
How Zero-Day Exploits Work
An in-depth look at zero-day exploits covering how vulnerabilities are discovered, traded, weaponized, and defended against in cybersecurity.
8 min read
cybersecurity
What Is Malware? Types, Threats, and Protection
Learn what malware is, the major types of malicious software including viruses, worms, ransomware, and trojans, how malware spreads, and how to protect against it.
8 min read