What is password cracking and what techniques do hackers use

What is password cracking?

Password cracking is the process of reversing an encrypted or hashed password – a form in which passwords are typically stored within systems – to its original plaintext form that the user has created. This kind of password decryption is called cracking only when done outside the authentication process.

The intent of cracking passwords can be both benevolent and malicious. If the user has forgotten their password, cracking it may help to regain access to their locked accounts. System administrators also employ password cracking to check the strength of passwords to eliminate the weak ones. Meanwhile, with the help of password-cracking tools, hackers can gain unauthorized access to various accounts and systems and breach sensitive data.

Password cracking is often mistaken for password guessing, the latter referring to trying out various combinations of letters and symbols to find the right match for the user’s password. The main difference between password guessing and cracking is that guessing is only viable if the password remains unhashed or unencrypted, whereas cracking deals with scrambled passwords.

Most common password cracking techniques

Hackers use various tools and methods, often a mix of them, to find ways to crack password hashes and encryption and gain access to secured systems. Depending on the information the hacker has gathered about you and the technique they use, it may take anything from minutes to days to crack your password. Read further to discover how hackers try to crack passwords.

Brute-force attack

A brute-force attack is a process of running automated scripts and trying out every possible password combination until the right match is found. The software used for building attack scripts creates successions of a large number of characters, the string of these characters matching the length of a targeted password. Typically, the longer the password, the more character combinations there are to try, and the more time it takes for a hacker to crack it.

A brute-force attack employs a trial-and-error method, and its success depends on the original password’s complexity and how much computational power and time the hacker invests to crack that password. Brute-force attacks are the most effective when users create short passwords or use common words to remember their passwords better. A password with meaning can be guessed in seconds because it uses easily recognizable character sequences.

Credential stuffing

Credential stuffing is a password-cracking technique in which the threat actor uses the same piece of credentials to unlock different accounts of the same person. Hackers typically use a botnet to perform credential stuffing because it allows them to try the leaked credentials against multiple accounts simultaneously.

This password-cracking method is the most successful when directed toward users who use the same password and username for multiple accounts. However, credential stuffing has quite a low success rate because only a small subset of stolen credentials will likely be used on other accounts.

Dictionary attack

A dictionary attack is a subset of a brute-force attack that runs on a presumption that users stick to certain password-creating patterns and use one password’s variations for their accounts. As a result, hackers have created attack dictionaries that consist of words or phrases most likely to be used in passwords. Threat actors typically use automated scripts to match the original password with the suggestions from the gathered attack dictionary.

Hackers have gone so far as to create special password dictionaries for different topics, for instance, cinema, music, or politics, and use them based on the information gathered on the targeted person.

Hybrid attack

A hybrid attack can be a different mixture of password-cracking attacks, but the most popular combination is that of brute-force and dictionary-based attacks. It’s performed whenever the hacker assumes you use a variation of your leaked password. In this case, threat actors use a predefined list of phrases people often use to create passwords (typical to dictionary attacks) and extend them by adding variables – random symbols and numbers (specific to brute-force attacks). Afterward, they brute force the phrase and symbol combination to match the correct password.

Hybrid attacks exploit users’ tendency to use passwords they can easily remember and extend them with simple symbol variations to match password complexity and length requirements. This password-cracking method is slower than a dictionary attack due to the added variables but faster than a brute-force attack as it takes a more systematic approach to match passwords.

Rainbow table attack

Rainbow table attack is a cryptographic attack that targets password hashes. The hashing algorithm is used to turn plaintext passwords into a sequence of random symbols, which is then saved in the system’s backend. Meanwhile, the rainbow table is a list of known hashes derived from leaked or common passwords. Whenever the hacker puts their mind to cracking a password, they check the hashes in the rainbow table against the targeted password hash till they find the right match.

Rainbow tables exploit the mechanism behind hashing: The same password always results in the same hash. This means the hashes of widely used passwords are always the same, no matter how many people on how many different occasions use them.

The most effective way to secure your password from rainbow table attacks is to add salt to your password hash. Salt is a string of random symbols added to the plaintext password before it’s hashed. It helps to make sure that even if the same password is used a couple of times, it doesn’t end up having the same hash.

Phishing and malware

Phishing attacks and social engineering techniques are probably the easiest and most effective ways for hackers to steal your credentials. Threat actors can fake legitimately looking websites and trick you into filling in your credentials there. Others may insert a malicious link or add an attachment to the phishy email, hoping you will unknowingly install credential-stealing malware into your computer.

The malware used for password stealing is usually keyloggers, which track your keystrokes to reveal character combinations you use when entering passwords, and screen scrapers, which take screenshots of your screen without your knowledge.

How to prevent password cracking

The success of password-cracking techniques depends highly on your endeavors to properly secure your password. Below, find the most effective ways to prevent hackers from stealing or leaking your passwords:

• Create a strong password. A strong password is your key defense against hackers’ offenses. It should be at least eight characters long and consist of a mixture of upper and lower-case letters, numbers, and special symbols.
• Use multi-factor authentication (MFA). Whenever you use MFA, you are prompted to pass two or more verification rounds before you can access your account. Though in most cases a password is the first thing you need to provide before opening locked resources, MFA will also prompt you to enter a one-time code sent to your device or will check your biometric data before it lets you into your account. MFA makes sure that even if hackers crack your password, they cannot access your account.
• Use biometric data instead of passwords. Using your unique physical features – a fingerprint or a face scan – to unlock your accounts is often safer than using passwords. For one, biometric data doesn’t yield to various types of brute force attacks. However, you should still keep in mind that every piece of information you store online, including biometric data, is hackable.
• Encrypt and hash your passwords. Password encryption and hashes increase the computational effort and time hackers need to crack passwords. While encryption turns your plaintext password into a ciphertext, a hash produces a string of random characters unique to each specific password. However, don’t forget to add salt to your hashed password. Salting and hashing passwords are your best defense against a rainbow table attack.
• Regularly update your software. System updates help to mend known vulnerabilities within the software you use. It lowers the chances of hackers finding weak spots in your software or operating system and using them to steal your credentials and sensitive data.

FAQ

How long does it take to crack a password?

The time needed to crack a password depends on the complexity of the password and the password-cracking tool in use. For instance, it may take a couple of minutes to crack a weak password and take days to break a strongly secured one.

Is it illegal to crack passwords?

Technically, it’s not illegal to crack passwords. Cybersecurity experts often use all of the tools mentioned in this article to search for system vulnerabilities. Password-cracking tools are also irreplaceable when recovering a user’s forgotten password or fighting online crime. Even though threat actors have found ways to use password-cracking tools for malicious purposes, the tools themselves are considered legal.