Password Cracking Methods & How to Avoid Them in 2024

Manual Thomas
Updated on: July 25, 2024 Writer

If you understand how hackers crack passwords, you can protect yourself. Hackers use several password-cracking methods to breach online accounts. As online attacks increase, it’s important to know how hackers get a hold of your passwords, so you can prevent your login credentials and other personal information from being stolen.

Password cracking involves guessing or recovering passwords from stored or transmitted data. It’s important to know that most password cracks succeed because of poor security practices, like using simple, repeated passwords across multiple accounts. Fortunately, you can easily check if your password has been compromised using tools like password managers or websites like Have I Been Pwned.

In this guide, I’ll show you how to avoid falling victim to password cracking and offer advice on what to do if your password has been cracked. Of course, it’s extremely difficult to remember lots of long, complex passwords, so using a password manager is the easiest way to keep your passwords strong and unique. I recommend 1Password for managing your logins — it’s secure and easy to use across all your devices.

Try 1Password (14 days Risk-Free)

What Is Password Cracking?

Password cracking is when hackers guess or recover passwords from data stored or transmitted by a computer system. Hackers often misuse this practice to gain unauthorized access to systems, while security professionals use it responsibly to test the strength of passwords and identify vulnerabilities, contributing to the overall security of systems.

In password cracking, attackers use software tools to generate numerous password guesses and compare them against the password’s stored cryptographic hash. The goal is to find a match between the guessed password and the stored hash. The effectiveness of password cracking depends on the password’s complexity and the strength of the hashing algorithm protecting it.

Password cracking can be divided into two categories:

• Online password attacks — These attacks occur in real-time against a live system. The attacker tries to log in by guessing the password directly through the system’s login interface. Online attacks are limited by the speed of the network and the security measures in place, such as account lockouts (where the account is temporarily disabled after a certain number of failed login attempts) and CAPTCHA challenges (which require the user to prove they’re human by solving a visual puzzle). These defenses can significantly slow down the attack, making it less effective.
• Offline password attacks — These occur after an attacker has already obtained password hashes or encrypted files from a compromised system. These hashes can be cracked using powerful computational resources, such as GPUs, allowing billions of guesses per second. Offline attacks are typically faster and more effective because they do not face the same real-time constraints as online attacks.

Data breaches and leaks often give attackers the password hashes they need to perform offline password attacks. When hackers breach a company’s database, they can expose millions of passwords, significantly increasing the risk of password cracking and unauthorized access — that’s why understanding and preventing password cracking is vital for maintaining digital security and protecting all your sensitive information.

14 Most Common Password Cracking Techniques

There are many password-cracking and hacking methods — here are the most commonly used techniques.

1. Brute-Force Attacks

A brute-force attack involves a hacker randomly generating thousands of passwords every minute, based on different variables, including a combination of characters, such as uppercase and lowercase letters, numbers, and special characters, and then entering them into the password field.

Hackers often use brute force attack programs to automate this process. These programs bombard the login field with password combinations until they guess the correct one. Once hackers gain access, they can steal data, damage systems, conduct unauthorized transactions, commit identity theft, and spread malware.

This is the classic form of a brute-force attack. However, other types of brute-force attacks include:

• Reverse brute-force attacks — Hackers start with a password linked to a website account and attempt to guess the matching username.
• Credential stuffing attacks — Hackers use credentials obtained from previous data breaches, hoping users have reused the same username and password across multiple sites.
• Hybrid brute-force attacks — Hackers combine brute-force attack techniques with a database of known leaked passwords.

2. Dictionary Search Attacks

Hackers use dictionary search attacks to crack passwords by systematically entering every word in a predefined list (known as a dictionary). These lists often come from leaked databases of passwords, common words, and phrases people frequently use.

Hackers modify these words in various ways, such as replacing letters with similar-looking numbers or symbols (e.g., “O” with “0”), adding punctuation, or combining words to increase the number of possible passwords they can try. For example, they might change “password” to “p@ssw0rd!” or “password123.”

3. Guessing the Password

Yep, if hackers aren’t able to use brute-force programs, they can always resort to guessing a user’s password. They learn more about the user — family names, home address, pet names, date of birth, etc. — and enter password combinations based on this personal information.

4. Phishing

The term “phishing” comes from “fishing,” as attackers “fish” for victims’ sensitive information. Hackers usually create copycat websites (fraudulent sites designed to look nearly identical to legitimate ones) aimed at deceiving users into giving away login credentials or other personal information.

The most common phishing techniques include:

• Email phishing — Sending mass emails that include links to phishing sites to random recipients, casting a wide net and hoping some recipients fall for the scam.
• Spear phishing — Emailing phishing links to specific individuals, commonly company employees. Unlike mass email phishing, spear phishing targets specific individuals or organizations, often using personalized information to appear more credible and increase the chances of success.
• Smishing — Sending scam SMS messages with dodgy links or requests for your personal info.
• Social media — Posting links to malicious sites on social networking sites, especially in comment sections, such as YouTube comments or X (formerly Twitter) replies.

If you have reputable internet security software installed on your devices, like Norton or Bitdefender, it should prevent you from accessing phishing sites or alert you to suspicious links.

5. Social Engineering

In social engineering attacks, hackers deceive targets into giving away private information by posing as legitimate actors, such as banking support representatives. They use the target’s background information to manipulate them into unknowingly giving away information, often making their targets feel rushed or scared to get them to act quickly without thinking.

Examples of social engineering attacks include:

• Scam phone calls — Convincing targets to give away personal information to a scammer posing as a representative of a legitimate company, such as a bank.
• Emails — Sending carefully crafted emails posing as legitimate actors to convince targets to give away private information or download malware. Scammers usually engage in a conversation with the target to build trust.
• Social media messages — Hackers may pose as company accounts or even friends to deceive users.
• In person — Scammers may perform social engineering attacks in person, sometimes dressing in a fake uniform to appear as though they are representing a company and asking a series of questions.

6. Spyware

Spyware is a type of hidden malware that can monitor and record your every move on a computer or smartphone. It can adjust your device’s settings and control webcams. Essentially, spyware can watch your every move online, view the sites you visit, and record the usernames and passwords you use to access sites. Hackers can then easily access your accounts. An effective antivirus scanner like Norton 360 can detect and remove spyware.

7. Keyloggers

Keyloggers or keylogging malware records your keyboard strokes to steal your sensitive information. This malware is a form of spyware. Once a keylogger records your keystrokes, it transmits the information to hackers, who then determine the accounts associated with your login credentials. Some antiviruses can protect you against keyloggers.

8. Man-in-the-Middle (MITM) Attacks

A Man-in-the-Middle attack involves hackers spying on network activity and intercepting data transferred across a network, including usernames, passwords, payment card details, and more. MITM attacks commonly occur on unsecured networks, such as public Wi-Fi hotspots, which enable bad actors to employ sophisticated hacking techniques (such as IP spoofing) to intercept network data. If you have to access the internet on a public network, always protect yourself by using a good VPN.

9. Spidering

Spidering is a password-cracking technique where a hacker collects information about a company or individual to better guess their login credentials. After researching a victim’s social media, web presence, and other sources, the hacker generates password combinations based on the collected information, such as passwords including the victim’s date of birth, company name, etc.

10. Rainbow Table Attacks

A rainbow table is a large, precomputed table of reversed hashes used for cracking password hashes. However, hackers must first have access to a list of password hashes before conducting a rainbow table attack, which is usually accessible after a data breach. These attacks can be stopped through a modern technique called “salting”, which adds an extra random value to every hashed password in order to generate a different hash value. Most password authentication systems include salting.

11. Data Breaches

Data breaches involve hackers accessing a company’s servers where you have an account and stealing a variety of sensitive data, including usernames and passwords. If one or more of your passwords have been compromised in a data breach, you should immediately secure your account and change passwords.

12. Password Spraying

Password spraying is a technique where hackers attempt to gain access to many accounts using a few commonly used passwords. Unlike traditional brute-force attacks, which involve trying many passwords on a single account, password spraying spreads out the attempts over many accounts to avoid detection and account lockouts.

Hackers typically use common passwords, such as “password123” or “welcome1”. This method is effective against organizations with weak password policies or those that don’t enforce multi-factor authentication or lockout accounts after a certain number of failed login attempts, as it allows the attacker to bypass these restrictions by targeting multiple accounts with the same password before moving on to another password.

13. Mask Attack

A mask attack is a targeted brute-force technique similar to a dictionary attack. Unlike traditional brute-force attacks that try every possible combination of characters, masked attacks focus on specific patterns and rules that individuals commonly use when creating passwords. Masked attacks work by narrowing the key space of potential passwords based on predictable patterns. For example, many people follow similar patterns when creating passwords, such as starting with an uppercase letter, followed by lowercase letters, and ending with numbers or special characters. By taking advantage of these common structures, attackers can configure their cracking tools to test only the most likely combinations, speeding up the process.

To execute a mask attack, hackers use placeholders representing different character types within a password. These placeholders typically include:

• ?l for lowercase letters
• ?u for uppercase letters
• ?d for digits
• ?s for special characters

For example, a mask like “?u?l?l?l?d?d?d?d” would generate passwords starting with one uppercase letter, followed by three lowercase letters and four digits (e.g. “Pass1234”).

14. Shoulder Surfing

Shoulder surfing is a low-tech yet surprisingly effective password-cracking technique. It involves a hacker physically observing someone as they enter their password or PIN, typically by looking over their shoulder or from a nearby vantage point. Hackers use this method in many public places, such as coffee shops, libraries, airports, or even office environments, making it a ubiquitous threat.

Hackers using this technique often rely on:

• Visual observation — Directly watching as someone types their password on a keyboard, smartphone, or ATM keypad.
• Recording devices — Using hidden cameras or smartphone cameras to capture password entry for later analysis.
• Social engineering — Pretending to help someone with a technical issue while covertly observing their login process.

Despite being less advanced than other hacking methods, shoulder surfing still poses a significant threat because of its simplicity and the widespread use of mobile devices in public areas. Protect yourself by staying aware of your surroundings, using privacy screens on your devices to limit the viewing angle and prevent others from seeing your screen, and shielding your hands when entering sensitive information in public.

What Makes a Password Easy to Crack?

Understanding what makes a password easy to crack means you can protect yourself against such attacks. Passwords that are easy to hack often share common characteristics that hackers exploit:

Short Length

Short passwords are inherently easier to crack. The fewer combinations a hacker needs to try, the faster they can guess it. For instance, a password like “12345” can be cracked almost instantly using basic brute-force techniques. A strong password is at least 12-16 characters long.

Common Words and Phrases

Using common words and phrases makes your password susceptible to dictionary attacks. Hackers use precompiled lists of common words, phrases, and passwords leaked from previous data breaches. They often start with “password”, “123456”, and “qwerty”.

Predictable Patterns

Hackers exploit predictable patterns in passwords. Many people use sequences like “abcd1234” or “password2023.” Hackers can narrow down their guesses to the most likely combinations based on these patterns.

Personal Information

Using personal information in your passwords makes them easier for hackers to guess. They can easily get information such as names, birthdates, and addresses through social engineering or data breaches. Anyone who knows basic information about you can quickly guess passwords like “John1985” or “Mary123”.

Lack of Complexity

Hackers find it much easier to crack passwords that lack complexity. A strong password should include a mix of uppercase and lowercase letters, numbers, and special characters. Passphrases, which consist of a sequence of random words that are easy to remember but hard to guess, are another good option. Using a password manager like 1Password makes it easy to create unique and strong passwords and passphases for all of your accounts.

Reused Across Multiple Accounts

Using the same password for multiple accounts is a major security risk. If one account is compromised, all other accounts using the same password are at risk. Hackers frequently attempt credential-stuffing attacks, using credentials from one breach to access multiple accounts.

Absence of Two-Factor Authentication (2FA)

Not enabling two-factor authentication (2FA) makes your accounts more vulnerable. Even if a hacker cracks your password, 2FA adds an extra layer of security, requiring a second form of verification (like a code sent to your phone) before granting access.

To avoid using weak and easily hackable passwords, take advantage of our SD password generator tool. This tool helps you create strong, unique passwords that are difficult for hackers to crack, ensuring your accounts remain secure.

Read Review

Try 1Password with a risk-free trial!

Use 1Password's 100% free trial to see if it’s the right password manager for you.

Get Deal

Popular Password Cracking Tools

The most popular password-cracking tools include:

• Cain and Abel — Cain and Abel is a popular password recovery tool available only for Windows. It can perform a wide range of functions, including analyzing route protocols and packets, scanning wireless networks for MAC addresses, and performing brute force or dictionary attacks.
• Hashcat — Hashcat is a free, open-source password-cracking tool compatible with Windows, macOS, and Linux. It is known to be the fastest password-cracking tool available. Hashcat supports multiple attack modes, including brute force, dictionary, and hybrid attacks, making it a popular choice for password recovery.
• John the Ripper — John the Ripper is a command-line password-cracking application primarily used on Linux and macOS, though a Windows version is also available. It is free, open-source, and supports a wide range of cipher and hash types, including Unix, macOS, and Windows user passwords, web applications, and database servers.
• Ophcrack — Ophcrack is a free, open-source tool that’s designed to crack password hashes using rainbow table attacks. It’s available for Windows, macOS, and Linux. It comes with a brute-force attack feature and is able to crack most passwords in a matter of minutes.
• RainbowCrack — RainbowCrack is a free desktop tool for cracking password hashes using the time-memory trade-off technique. This software generates rainbow tables to recover passwords from online applications, supporting common hash algorithms like NTLM, MD5, and SHA2. It offers faster cracking compared to traditional brute-force methods, using multi-core processing and GPU acceleration for high-performance results.
• CrackStation — CrackStation is a free online password-cracking service that uses an extensive collection of pre-computed lookup tables, containing over 15 billion entries sourced from various online resources. However, it’s important to note that CrackStation is only effective for cracking non-salted hashes, which don’t have a random string attached to them.
• WFuzz — WFuzz is a password-cracking tool that’s primarily made for cracking web application passwords with brute-force attacks. It helps secure websites by identifying vulnerabilities and locating unlinked resources like scripts, servlets, and directories

Using password-cracking tools to gain unauthorized access is illegal. We at SafetyDetectives strongly discourage any illegal use of these tools. You should only use them to recover your own passwords, or as an ethical hacker or security professional working to identify and fix vulnerabilities.

How to Find Out If Your Password Has Been Cracked

• Use a breach scanner — A data breach scanner from top password managers like 1Password will notify you if any of your passwords or other personal data were leaked on the dark web following a data breach.
• Look for suspicious activity — If you notice any unusual actions like unauthorized messages sent from your email address, your password was most likely hacked and you need to secure your account immediately.
• Be aware of login notifications from unfamiliar devices or locations — If you receive an account login notification from an unrecognized device or location, it likely means a hacker has access to your account’s password.
• Check a compromised password database — If you have a password that is commonly used (like password123), it will appear in a database of known compromised passwords like Have I Been Pwned, and you should change it as soon as possible.
• Look for two-factor authentication (2FA) code requests — If you get a two-factor authentication code sent to your device without requesting it, it’s very likely that your password has been hacked and an attacker is trying to access your account.

What Should You Do If Your Passwords Are Compromised?

• Change your passwords immediately — The first thing you should do after discovering your passwords are compromised is to change them immediately. This minimizes the damage hackers can do with unauthorized access to your account.
• Turn on two-factor authentication (2FA) — If you haven’t already, enable 2FA for the account associated with your compromised password. This adds an extra layer of security.
• Use a password manager with a data breach scanner — Download a top password manager like 1Password, which includes a data breach scanner to see if any more of your sensitive data has been leaked. The Watchtower feature, for example, notifies you if any of your passwords have been compromised in a data breach, plus it alerts you to weak and reused passwords, so you can up your password security going forward.

• Run a dark web scan — Use a dark web monitoring tool to see if any other personal data has been leaked. Antiviruses like Norton come with good dark web monitoring.
• Subscribe to an identity theft protection service — A reputable identity theft provider like Norton 360 with LifeLock can help you monitor and protect your personal information, and assist in recovery if your identity is stolen.
• Update security questions — If your compromised account uses security questions for additional verification, update them to something unique that hackers can’t easily guess.
• Review account activity — Check the recent activity on your compromised accounts for any unauthorized actions. Report any suspicious activity to the service provider immediately.
• Notify relevant parties — Inform your bank, credit card companies, and other relevant institutions about the breach, especially if financial information was involved.
• Secure other accounts — Change the passwords of any other accounts that might use the same or similar passwords as the compromised one. Ensure each account has a unique password.
• Monitor financial statements — Keep a close eye on your bank and credit card statements for any unauthorized transactions. Report any discrepancies to your financial institution.
• Use a security freeze — If the compromised data includes financial information, consider placing a security freeze on your credit reports to prevent new accounts from being opened in your name.
• Enable account alerts — Set up alerts on your accounts to notify you of any unusual login attempts or changes to your account information.

By following these steps, you can better protect yourself from further exploitation and mitigate the risks associated with compromised passwords.

How to Protect Your Password From Being Cracked (or Hacked)

Create Strong Passwords

The best way to protect your password from being cracked is to use long, complex passwords that are difficult to crack — the longer and more complex a password is, the harder it is to crack. Cracking a short password such as “cats123” could take only minutes (if not seconds!), but a password like “CaTs-are_my-Favor1tE_aN1maL!” would take millions of years to crack using today’s tools.

Use Two-Factor Authentication for Your Accounts

Two-factor authentication (2FA) requires you to enter a second form of verification along with your password before you sign in. This means that hackers would need both your password and your 2FA credentials to access your account. I recommend using 2FA for all of your compatible accounts.

Use a Password Manager

A password manager app like 1Password is a great way to store your login credentials securely — all details are stored in vaults using advanced encryption, making it virtually impossible for hackers to access them unless they have the master password.

Password managers can also easily generate long, complex passwords that are hard for hackers to crack — a great idea given how easily common passwords are compromised. Most top password managers have password generators with high character limits that allow you to use a mix of numbers, letters, and symbols.

Install Antivirus Software

Installing antivirus software protects your device against popular password hacking techniques like phishing and spyware. Norton has a 100% malware detection rate and strong defenses against threats like phishing and ransomware.

Read Review

Save 58% on Norton 360 Deluxe!

Get Norton 360 Deluxe for only $49.99*!

Get Deal

Be Aware of Online Scams

When online, be vigilant about dodgy websites. Phishing scams can trick you into revealing login information through misleading emails, texts, or social media messages. Protect yourself by checking messages from unknown senders and not downloading suspicious attachments. You should also use an antivirus with good web protection to weed out potential risks.

Never Use Personal Info

Avoid using personal information such as names, birthdates, or easily guessable details in your passwords. Cybercriminals often use personal information to guess passwords through social engineering tactics. Instead, use a combination of unrelated words, numbers, and symbols to create a strong password.

Always Use Different Passwords for Each of Your Accounts

Using the same password for multiple accounts is risky because if one account is compromised, all other accounts using the same password are also at risk. By using unique passwords for each account, you minimize the damage that can be done if one password is cracked.

Only Share Passwords With People You Fully Trust

Share passwords sparingly and only with individuals you fully trust. For secure sharing, use a password manager like 1Password, which allows you to share passwords securely without exposing them to potential interception.

Avoid Unsecured Networks

Using public Wi-Fi networks can expose your passwords to hackers. Avoid accessing sensitive accounts over unsecured networks. If you must use public Wi-Fi, use a Virtual Private Network (VPN) like ExpressVPN to encrypt your internet connection and protect your data from interception.

Use Biometric Logins Where Available

Biometric authentication, such as fingerprint or facial recognition, provides an additional layer of security. Biometric data is unique to each individual and is much harder to replicate compared to traditional passwords. Using biometric logins can enhance the security of your accounts.

Use Email Masking

Email masking involves using unique, randomized email addresses for each account. This makes it harder for hackers to link your accounts together and target your primary email address with phishing attacks. Some password managers, like NordPass, offer email masking features to enhance your security.

Keep Your Devices Updated

For maximum protection, always keep your device’s software and firmware up to date. Old software and firmware can contain weaknesses that hackers can exploit. Use Norton’s software updater to keep your computer safe from the latest exploit attacks.

Editors' Note: ExpressVPN and this site are in the same ownership group.

Frequently Asked Questions

Is password cracking illegal?

Yes, password cracking is illegal. While it isn’t illegal to use a password cracking technique to access your own password, doing the same to access someone else’s password can lead to criminal charges.

A top password manager like 1Password can help prevent your password from being cracked by generating new, stronger passwords and storing them securely in your password vault.

How do hackers crack passwords?

Some of the most common password cracking techniques include brute-force attacks, phishing, and spyware. A brute-force attack is when a hacker tries to crack a victim’s password by randomly generating thousands of passwords based on a wide range of variables. Phishing is a tactic where hackers create fraudulent websites or emails aimed at tricking users into giving away their personal data, while spyware is a kind of hidden malware that can record your screen on a computer or smartphone, change your device settings, and even control your webcam.

What kinds of passwords are difficult to crack?

Difficult-to-crack passwords are long, with many characters and a good mix of random numbers, letters, and symbols. With this in mind, the best way to quickly and easily create strong passwords is by using a password generator from a top password manager. My personal favorite is 1Password — it has an excellent password generator that allows you to create up to 100-character passwords using random combinations of numbers, letters, and symbols.

How do you protect your passwords from being cracked or stolen?

Some of the best ways to protect your password from being cracked or stolen include:

1. Using a password manager.
2. Installing antivirus software.
3. Keeping your devices updated.

A top password manager (like 1Password) can generate and store highly secure passwords for you, while a highly-rated antivirus program (like Norton) can keep your device protected from password-cracking techniques like phishing and spyware. Additionally, it’s important to install all updates on your devices in order for their systems to be protected against any new cyber threats.