Published: 26/06/2020

Password Cracking

A password cracking attack is the process of obtaining the correct password to an account in an unauthorised way. Every password has vulnerabilities, and this makes it easy to hack.

Password attackers use various techniques to crack passwords, including the use of records obtained from data breaches. You can check if your email address appears on a list of compromised accounts using this tool.

Why people crack passwords

There are many reasons why attackers want to crack passwords. First, they try to obtain access to restricted data and systems, get a foothold in companies’ networks, or just seize control of an account and use it for their own purposes.

How long does it take to crack a password

With one minute of computation time, an eight-character alphanumeric lowercase word should take five minutes or less on average to guess correctly from among all possibilities in a brute force attack containing 26 English characters; with ten seconds of computations, that same length word would typically take 20 hours or longer on average using brute force guessing without any type of outside help – such as wordlists.

Two primary forms of password cracking

One of the most common types of password attacks are:

Brute force

Brute force attacks involve an attacker submitting many possible passwords to test them with the hope of eventually guessing correctly and cracking this password. Brute force attacks very often use a list of commonly-used passwords.

Dictionary attacks

A dictionary attack is when an attacker uses a list of words pulled from sources such as dictionaries, thesauruses, and newspapers to crack passwords.

Password guessing vs password cracking

Password guessing is the process of entering a password manually by the user to see if it is correct, whereas password cracking involves using programs or software to try several combinations of possible passwords at once.

How password cracking programs work

Password cracking programs work by using various methods to process and analyze large numbers of password hashes. A hash is a transformation of an input string into a smaller fixed-length output string; it is like fingerprints used for identification purposes.

If the original password can be determined then other passwords with similar characteristics can be cracked too. For example, if one knows how 7% of users create their password then that knowledge can be extrapolated to create cracking dictionaries for all the other 3,700 characters (upper- and lowercase letters, numbers, symbols) to make up 93% of possible passwords.

Post cracking activities

Once a password has been successfully cracked there are sometimes follow-up attacks to perform certain tasks: privilege escalation, installing backdoors, data exfiltration, etc.

Rainbow attack

A rainbow attack is a type of password cracking that uses different words from the original password to generate all other possible passwords.

Rainbow table attack

A rainbow table attack is an additional method that can be used to crack passwords. Rainbow tables exploit the fact that password hashes are not secure when it comes to protecting against cracking attacks by storing pre-calculated values of encrypted hashes for each possible word in a large database, which makes it easy to check whether the hash value has been cracked or not when a certain word is identified as the actual password. In essence, this mechanism performs many of its calculations before even accessing the storage where all those values are stored.

Today’s computers and multi-core processors allow much more efficient processing of lists of words and the possibility to exploit their weaknesses through additional methods such as rainbow tables. Rainbow table attack can crack hashes that are much longer and more complex than wordlists.

Frequently asked questions about password cracking

What password is most commonly used? Password1, 123456, and Qwerty. Those are the three most common passwords. It’s safe to bet that anyone with less than average computer knowledge is using one of those as their password.
How do I make my password harder to crack? First, don’t use any words found in an English dictionary or any variation of them. The typical word combinations (“pizza99”, “qwertyuiop”, “dragonf1sh”) can be cracked easily and fast since computers know these words well – even when misspelled. If you combine two random names, numbers and special characters (e.g., &#*@) that are not found together in any word or proper name, your password will be very hard to guess or crack even with a big dictionary of common passwords.
What is the best way to create strong passwords? You should come up with several seemingly unrelated words for each site: these words can be similar but cannot be identical – in other words, they need to have at least one letter different from another one. The purpose of a good password is stringing together several seemingly independent parts so there’s no logical relationship between them – so the password is difficult to guess or crack even with a big dictionary.

Schedule Your Demo

Tired of your website being exploited by malicious malware and bots?

We can help

Subscribe and stay updated

Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.

By registering, you confirm that you agree to Netacea's privacy policy.

Solutions by Products

Solutions for Threats

Solutions for Industry

Are bots costing you?

Find out how much bots cost your business

Why Netacea

How Netacea Works

Award winning

Netacea wins SINET16 Innovator Award

Resources

Education

The Bot Management Review

How busineses deal with bot attacks in 2022

Our Company

Analyst recognition

Learn more about what analysts think of Netacea