You've probably heard that you need a "strong" password, but what exactly is a hacker trying to do when they attempt to crack your password? And why do certain password characteristics make such a big difference in security?
Understanding how password cracking works helps explain why security advice has evolved. It's not about following arbitrary rules - it's about making attacks mathematically impractical. Let's look under the hood at how attackers actually crack passwords.
The Basic Premise: Hash Functions
First, you need to understand how passwords are stored. Legitimate websites don't store your actual password. Instead, they run it through a mathematical function called a hash that converts it into a fixed-length string of characters.
For example:
password123might hash to:482c811da5d5b4bc6d497ffa98491e38MyD0g$Namemight hash to:7c6a180b36896a0a8c02787eeafb0e4c
Hash functions are one-way. You can turn a password into a hash, but you can't reverse the hash back into the password. When you log in, the website hashes what you type and compares it to the stored hash. If they match, you're in.
This is why when a website gets hacked, attackers get a file full of hashes, not actual passwords. Their job is to figure out which password produces each hash. That's where password cracking comes in.
Method 1: Brute Force Attacks
The simplest approach is trying every possible combination of characters until one produces the matching hash. This is called a brute force attack.
How It Works
Imagine the password is just lowercase letters. A brute force attack would try:
- a, b, c, d... z
- aa, ab, ac, ad... az, ba, bb... zz
- aaa, aab, aac... zzz
- And so on...
For each attempt, the cracking software generates the hash and checks if it matches. Modern computers can try billions of passwords per second using specialized hardware.
Why Length Matters So Much
This is where mathematics becomes your friend. Each additional character exponentially increases the number of possible combinations:
Brute Force Math (lowercase letters only)
- 4 characters: 456,976 possible combinations (cracked instantly)
- 8 characters: 208 billion combinations (seconds to minutes)
- 12 characters: 95 quadrillion combinations (years)
- 16 characters: Over 43 sextillion combinations (millennia)
Adding just one character doesn't make the password a little bit stronger - it makes it 26 times stronger if you're using lowercase letters. This exponential growth is why security experts emphasize length above all else.
The GPU Advantage
Attackers don't use regular computers for password cracking. They use graphics cards (GPUs) designed for parallel processing. A high-end GPU setup can try tens of billions of password combinations per second.
But even at billions of attempts per second, the math of long passwords wins. A 16-character random password would take longer to crack than the current age of the universe.
Method 2: Dictionary Attacks
Brute force is thorough but slow. Dictionary attacks are smarter. Instead of trying every possible combination, they try common passwords and words first.
How Dictionary Attacks Work
Attackers maintain huge lists of:
- Common passwords: password, 123456, letmein, welcome
- Dictionary words: house, computer, mountain, coffee
- Previously breached passwords from other hacks
- Common patterns: password1, Password123!, P@ssw0rd
- Names, sports teams, movies, bands, places
They try these first because people are predictable. Why spend hours trying random combinations when many people use "Password123!"?
Rule-Based Modifications
Dictionary attacks get more sophisticated with rules. For example:
- Try the word, then with capital first letter: password → Password
- Add common numbers: password → password1, password123
- Common letter substitutions: password → p@ssw0rd, pa$$word
- Add special characters at the end: password → password!, password!!
This is why "P@ssw0rd123!" isn't actually a strong password. It's just a dictionary word with predictable modifications that cracking software specifically looks for.
Previously Breached Passwords
Attackers have databases of billions of real passwords from previous breaches. These are tried first because people often reuse passwords. If your password appeared in the LinkedIn breach of 2012, it's one of the first things an attacker will try on your bank account in 2024.
Method 3: Rainbow Tables
Rainbow tables are a clever time-saving technique. Instead of hashing passwords on-the-fly during an attack, attackers pre-compute hashes for millions of common passwords and store them in a massive table.
How They Work
The process:
- Before the attack, generate hashes for millions of common passwords
- Store both the password and its hash in a database
- When you have a stolen hash file, simply look up each hash in your rainbow table
- If there's a match, you instantly know the password
This trades disk space for time. Rainbow tables can be hundreds of gigabytes, but they let attackers crack simple passwords instantly instead of computing billions of hashes.
Salting: The Defense Against Rainbow Tables
This is why modern websites add "salt" to passwords before hashing. A salt is random data added to your password before it gets hashed. For example:
- Your password:
password123 - Random salt:
x7K$mN9q - What gets hashed:
password123x7K$mN9q
Each user gets a different random salt, so even if two people use the same password, their hashes are different. This makes pre-computed rainbow tables useless because the attacker would need different tables for every possible salt value.
However, salting doesn't protect against brute force or dictionary attacks on individual passwords - it just makes mass cracking harder.
Method 4: Credential Stuffing
This isn't technically password cracking, but it's how most account breaches happen. Credential stuffing uses passwords that have already been cracked from other sites.
How It Works
- Attackers get username/password pairs from a breach (say, an old forum)
- They try those exact credentials on other popular sites
- Because people reuse passwords, many work
- No actual cracking needed - the password is already known
This is why password reuse is so dangerous. Your banking password's strength doesn't matter if it's the same password you used on that random shopping site that got hacked.
What Makes a Password Resistant to Cracking?
Now that you understand the attacks, the defense strategies make more sense:
Length Is King
Every additional character exponentially increases cracking time. A 16-character password is not twice as strong as an 8-character password - it's trillions of times stronger.
Randomness Matters
Random passwords aren't in dictionaries. X9$mK2pL#vN8qR5t can't be found in any wordlist, so dictionary attacks fail. The only option is brute force, which takes forever for long passwords.
Uniqueness Prevents Credential Stuffing
Using a different password for every site means that when one site gets breached, only that one password is compromised. Your other accounts remain safe.
Avoiding Patterns Helps
Patterns like "Password1," "Password2," "Password3" for different sites are predictable. If an attacker cracks one, they'll try variations on your other accounts.
Practical Password Strength
Weak: password123 (in every dictionary, predictable pattern)
Weak: P@ssw0rd! (dictionary word with common substitutions)
Medium: MyD0g$Name (personal info, but has some complexity)
Strong: correct-horse-battery-staple (long, random words)
Strongest: X9$mK2pL#vN8qR5t (long, random, all character types)
The Speed Factor: Online vs Offline Attacks
There's an important distinction between online and offline password attacks:
Online Attacks
When an attacker tries passwords directly against a website's login page, the website can slow them down. After a few failed attempts, the account locks or requires a captcha. This makes brute force attacks impractical - they can only try a handful of passwords before getting blocked.
Offline Attacks
When a website gets breached and the password database is stolen, attackers crack passwords offline on their own computers. There's no rate limiting. They can try billions of passwords per second with no one stopping them.
This is why you should change your password immediately when a site notifies you of a breach - they're racing against time before the attackers crack your password from the stolen database.
Real-World Time Estimates
How long does it actually take to crack passwords? These are approximate times using a powerful GPU setup:
Cracking Time Estimates
6 lowercase characters: Instant
8 lowercase characters: Minutes
8 all character types: Hours to days
10 all character types: Weeks
12 all character types: Years
16 all character types: Millions of years
Note: These assume offline attacks with no rate limiting. Online attacks are much slower due to account lockouts and rate limits.
Why Password Managers Make Sense
Understanding password cracking makes the case for password managers obvious:
- They generate truly random passwords that aren't in any dictionary
- They make length practical - you can use 20+ character passwords without memorizing them
- They enable uniqueness - different random password for every site
- They're not vulnerable to dictionary attacks because the passwords aren't based on words
A 16-character random password generated by a password manager is effectively uncrackable with current technology. The math simply doesn't work in the attacker's favor.
The Bottom Line
Password cracking is a mathematical game. Attackers have powerful computers that can try billions of combinations per second. Your defense is making the math so unfavorable that cracking your password would take longer than is worth their time.
Short passwords, dictionary words, and common patterns make attackers' jobs easy. Long, random passwords make the math impossible. It's not magic or complicated security - it's just numbers.
Choose passwords that would take millennia to crack, not hours. Use a password manager to make this practical. That's how you win the mathematical race against password cracking.