• Home
  • /Learn
  • /Password Cracking – How Do Hackers Do It?
background image


Password Cracking – How Do Hackers Do It?


Passwords constitute the most popular form of user authentication in the world. Almost every program is protected by a secret string of characters. These strings are typically a collection of letters, numbers and special symbols, and help authenticate and restrict unauthorized usage. Passwords are popularly used because they are easy to remember and give easy access to users. But their ease of use makes them a porous vulnerability that can be exploited by hackers with malicious intent. Notably, over 90% of Internet users worldwide are scared of having their passwords hacked. 

Before we get into password cracking, let us first understand how a password functions. 

How do passwords protect us online? 

A password-based authentication system never actually stores a user’s password in its database, network or system. Instead, it works via something called a hash function. What happens is that instead of storing the actual password, the system stores the password hash. A password hash is a result of sending the password and a randomly assigned value known as salt through a hash function. 

The hash function is designed to be like a one-way street – it is very hard to figure out the input from the output. The hash function gives a layer of protection to the password and makes it harder to crack. 

But it is at this point that most hackers employ password cracking techniques. Their goal is to crack the password by studying the password hash. 

What are the three major password cracking attacks? 

  • Brute Force Attack

This type of attack tries to guess every possible password combination until it hits the right one. This process is slow, tedious and requires tons of computing power to execute. But it has a higher chance of succeeding than any other form of attack. 

  • Dictionary Attack

The dictionary attack combines knowledge of probability with basic human psychological assumptions. Since most people tend to use weak passwords based on preconceived patterns, hackers leverage this reality to create a list of possible passwords and combinations. 

  • Hybrid Attack

It does what its name suggests. It combines brute force with the dictionary attack to crack a password. Beginning with the dictionary attack and then moving on to brute force can enable hackers to crack most passwords. 

There are several tools on the market that allow hackers with malicious intent to crack passwords. These tools range from simple brute force ones to sophisticated tools that can crack passwords on multiple devices at one go. 

  • Hashcat

As one of the most popular tools on the market, it can crack multiple passwords on different devices simultaneously. It also supports a distributed hash cracking system via overlays. 

  • John the Ripper

Named after the notorious serial killer, this tool is wildly popular for cracking Linux, Unix, Windows and Mac OS X passwords. It helps compromise not only OS passwords but also WordPress applications and locked documents.

  • Brutus

It is a remote password cracking tool that only supports Windows OS. It is freely available and can support multi-authentication protocols. What makes it unique is its ability to add custom modules to the pack.

  • Wfuzz

Much like Brutus, Wfuzz also uses a brute force guessing attack to crack passwords. It can also find hidden directories, servlets and scripts, apart from identifying injection vulnerabilities. 

  • Medusa

Medusa is a speedy password-cracking tool. It can run simultaneous attacks and try up to 2000 passwords a minute on a local system. Its speed goes up with the availability of better computing power. But this tool does require some level of command-line knowledge. 

How to create a password that can beat most password cracking tools? 

It is not enough to have a strong password. Weak passwords not only expose you to identity theft but also leave you exposed to ransomware attacks. There are some rules that you should keep in mind while creating a password. 

  • Longer passwords can help stave off brute force attacks because they take much more time to crack. 

  • Always avoid using patterns and personal information in the password. These patterns can make a dictionary attack easier to implement. 

  • A combination of uppercase and lowercase letters along with numbers and special symbols works best. 

  • Never use the same password for multiple applications. You do not want to risk all the applications you use with just one compromised password. 

  • Using a password manager is highly recommended. Many password managers on the market generate random passwords and also remember them for you. 

To learn more about how to create strong passwords, read here.

Password cracking is a real threat that people often underestimate. Studies suggest that 57% of the people that have been scammed online haven’t yet changed their passwords. Their laxity points to a serious vulnerability in most systems. Hackers can leverage this laxity with even the most basic password cracking tools. The best way to stay safe is to create a secure password and recycle it regularly.