# Password Cracking Techniques and How to Defend Against Them
Understanding Password Security
Passwords remain the primary authentication method for most systems, despite the rise of biometric and multi-factor authentication. Understanding how passwords are cracked enables security professionals to implement effective defenses and helps organizations protect sensitive data.
Password security depends on both the strength of individual passwords and how organizations store and protect them. Attackers continuously develop new techniques to crack passwords faster.
Password Cracking Fundamentals
How Passwords Are Stored
Modern systems rarely store passwords in clear text. Instead, they use cryptographic hash functions. A good hash function should be one-way (cannot be reversed), deterministic (same input always produces same output), collision-resistant (difficult to find two inputs with same output), and slow (intentionally designed to slow cracking attempts).
Common Hash Types
MD5 produces 5f4dcc3b5aa765d61d8327deb882cf99 for password. SHA-1 produces 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8. SHA-256 produces e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. Bcrypt produces $2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/X4.AFNPcE4vC8K.W.
Password Cracking Techniques
Dictionary Attacks
Dictionary attacks use pre-compiled lists of common passwords and words. Using Hashcat: hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt. Using John the Ripper: john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt. Common wordlist sources include rockyou.txt (14 million passwords), CrackStation wordlists, and SecLists.
Brute Force Attacks
Systematically trying all possible character combinations. Hashcat example: hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?l?l?l?l for 8 characters lowercase. Character sets include ?l for lowercase, ?u for uppercase, ?d for digits, ?s for symbols, and ?a for all characters.
Rainbow Table Attacks
Pre-computed hash tables that trade storage space for speed. Why rainbow tables work: same hash equals same table entry, time-memory trade-off reduces cracking time, and effective against fast hash functions like MD5 and SHA1.
GPU Acceleration
Modern password cracking leverages graphics card processing power. Example speeds on RTX 3080: MD5 achieves ~50 billion/second, SHA1 achieves ~15 billion/second, and bcrypt achieves ~100 thousand/second (much slower due to intentional design).
Password Cracking Tools
Hashcat
The fastest password recovery tool with GPU acceleration. Attack modes include -a 0 for straight dictionary, -a 1 for combination, -a 2 for brute-force, -a 3 for hybrid wordlist plus mask, and -a 6 for hybrid mask plus wordlist.
Hash types include -m 0 for MD5, -m 100 for SHA1, -m 1400 for SHA256, -m 3200 for bcrypt, and -m 5500 for NetNTLMv1/v2.
Useful options include --potfile-path for custom pot file location, --session for resuming interrupted sessions, --restore for continuing from checkpoint, and --remove for removing cracked hashes.
John the Ripper
Versatile password cracking tool with many hash support. Basic usage: john hashes.txt or john --wordlist=wordlist.txt hashes.txt. Show cracked passwords with john --show hashes.txt. Format-specific cracking with john --format=NT hashes.txt.
Hydra
Parallelized login brute forcer. SSH brute force: hydra -l admin -P passwords.txt ssh://target.com. HTTP form attack: hydra -l admin -P passwords.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid".
Creating Effective Wordlists
Organization-Specific Wordlists
Generate wordlist from company data using CeWL with cewl https://company.com -m 4 -w company_words.txt. Extract from LinkedIn with cewl https://linkedin.com/company/companyname -m 4.
Password Mutation Rules
Common password patterns include keyboard walks like qwerty and asdfgh, common words like password and welcome, year patterns like 2024 and 1234, and organization-specific terms.
Real-World Password Cracking Scenarios
Cracking NTLM Hashes
Common in Windows authentication. Extract from SAM database with reg save HKLM\SAM sam.hive and reg save HKLM\SYSTEM system.hive. Crack with Hashcat: hashcat -m 1000 -a 0 hashes.txt wordlist.txt at GPU speed of ~100 billion/sec.
Cracking BCrypt
Bcrypt is intentionally slow and designed to resist brute force. Crack with Hashcat: hashcat -m 3200 -a 0 hashes.txt wordlist.txt at GPU speed of ~100 thousand/sec. An 8-character password could take ~3 years to brute force.
Cracking WiFi Handshakes
Capture with aircrack-ng tools and convert to hccapx format with cap2hccapx. Crack WPA/WPA2 with hashcat -m 2500 -a 0 handshake.hccapx wordlist.txt.
Password Cracking Prevention Strategies
Strong Password Policies
Minimum requirements should include 12+ characters length, upper and lower case letters, digits, special characters, and checking against common passwords usingHIBP API.
Secure Password Storage
Use bcrypt with salt rounds of 12 or Argon2 with time_cost=3, memory_cost=65536 (64 MB), and parallelism=4.
Multi-Factor Authentication (MFA)
Implement multiple authentication factors: something you know (password), something you have (phone or token), and something you are (biometric). Use TOTP (Time-based One-Time Password) for time-based codes and U2F/WebAuthn for hardware keys providing phishing-resistant authentication.
Account Lockout Policies
Implement progressive lockout: 3 failures triggers warning, 5 failures triggers 15-minute lockout, 10 failures triggers 1-hour lockout, and 20 failures triggers account suspension.
Password Strength Analysis
Use entropy calculation where charset_size considers available character sets and entropy = len(password) * (charset_size ** 0.5). Weak passwords have under 40 bits, fair passwords have 40-60 bits, strong passwords have 60-80 bits, and very strong passwords have over 80 bits.
Frequently Asked Questions
How long does it take to crack a password?
Cracking time depends on hash type, password complexity, and computational resources. An 8-character complex password might take minutes against MD5 but centuries against bcrypt with proper configuration.
What is the most effective password cracking method?
For most targets, dictionary attacks with rules outperform pure brute force. Combining organization-specific wordlists with mutation rules provides the best results for targeted attacks.
How can organizations test password security?
Use tools like Hashcat to test password hash strength from authentic sources with permission. Run wordlists against collected hashes to identify weak passwords. Use breach detection APIs to check for compromised credentials.
Are password managers secure?
Yes, password managers are widely considered secure when using strong master passwords and enabling MFA. They enable unique, complex passwords for every account without memorization challenges.
How does GPU acceleration affect password cracking?
GPU acceleration dramatically increases cracking speed. A modern GPU can crack MD5 hashes at 50+ billion attempts per second, making weak passwords virtually useless.
Conclusion
Password cracking remains a critical skill for security professionals and a persistent threat for organizations. Understanding attack techniques enables better defense implementation.
Key takeaways include password strength directly impacting cracking difficulty, hash function choice significantly affecting security, password policies must balance usability and security, multi-factor authentication provides critical additional protection, and regular testing reveals password security gaps.
Cyber Defence offers comprehensive password security training as part of our ethical hacking courses. Learn both offensive and defensive password security techniques through hands-on exercises.
Protect your organization from password-based attacks. Implement strong hashing, enable MFA, and regularly test your password security posture.