What is password cracking?

Password cracking is when a hacker uncovers plaintext passwords or unscrambles hashed passwords stored in a computer system. Password cracking tools leverage computing power to help a hacker discover passwords through trial and error and specific password cracking algorithms.

This article contains:

If a hacker discovers your password, they can steal your identity, steal all your other passwords, and lock you out of all your accounts. They can also set up phishing attacks to trick you into giving up more sensitive data, install spyware on your devices, or sell your data to data brokers

The best way to protect yourself against cybercriminals and cybercrimes like password theft is with a healthy mixture of common sense and modern security solutions.

How can I prevent my password from being hacked?

The first step to prevent your password from being hacked is to create long and unique passwords for all your accounts. We know it’s super convenient to use your dog’s birthday for all your passwords, but this just makes it more convenient for password hackers.

It’s also easy to let your browser save all your passwords for you. But if someone takes control of your computer, either remotely or in person, they can take control of your passwords too. That’s one among many reasons to be mindful when saving passwords in your browser — and why a password manager is generally the safer way to go.

As technology has advanced, guessing passwords has become easier for hackers. While some of the best password managers can defend against password cracking tools, learning about common password cracking techniques is a great way to swing the odds in your favor.

What is a hashing algorithm?

A hashing algorithm is a one-way encryption that turns a plain-text password into a string of letters, numbers, and special characters. It’s practically impossible to reverse a hashing algorithm, but hackers can find the original password with the help of password cracking software.

As hackers learn to crack hashing algorithms, newer and stronger hashes are developed. Some popular — though now obsolete — password hashing algorithms include MD5 (Message Digest Algorithm 5) and SHA (Secure Hashing Algorithm). Today, one of the strongest password hashing algorithms is bcrypt.

Common password hacking techniques

The first step to cracking passwords is stealing the hashed versions, often by cracking a system or network that holds the passwords. Hackers can target a company’s software vulnerabilities through exploits and other hacking methods to get at the passwords inside. 

From there, it’s just a matter of choosing the right password cracking techniques and tools. Individuals typically aren’t hacking targets — the aim is to cast a wide net and catch as many passwords as possible.

New password attack methods are developed every day. Luckily for hackers, human password habits haven’t developed alongside. Many classic rule-based programs and algorithms are still effective in predicting people’s password choices.

Sometimes all a hacker has to do is wait for a data breach to leak millions of passwords and private details. Hackers often share and trade sensitive data they find, so it pays to have privacy software like Avast BreachGuard that helps prevent companies from selling your personal info, protects you from social media snoops, and scans the web in case your sensitive details are out there.

Here are a few of the most common password hacking techniques:

Brute force attack

brute force attack is when hackers use computer programs to crack a password through countless cycles of trial and error. A reverse brute force attack attempts to crack a username through the same method. Brute force attacks are simple yet effective.

Modern computers can crack an eight-character alphanumeric password or ID in just a few hours. There are many freely available brute force tools around the web that allow nearly infinite guesses of a target’s login credentials, such as the popular and notorious Brutus password cracker.

Using an obscure word won’t help — a hacker can scour all the dictionaries in the known universe in a matter of moments.

The worst passwords are sequential letters and numbers, common words and phrases, and publicly available or easily guessable information about you. These simple passwords are incredibly easy to crack via brute force, and they could end up in a data breach sooner or later.

Hackers compile cracked usernames and passwords into a hitlist for attacks on other networks and systems in a technique called credential recycling. The cycle of hacker violence goes round and round — and your private data is at the center.

Brute force attacks are especially effective against easy-to-guess passwordsBrute force attacks are especially effective against easy-to-guess passwords

Dictionary attack

A dictionary attack is a type of brute force attack that narrows the attack scope with the help of an electronic dictionary or word list. Dictionary attacks target passwords that use word combinations, variations on spellings, words in other languages, or obscure words that are too slippery for a regular brute force attack.

Because a dictionary attack uses a set list of actual words, passwords that have random special characters are a lot more unpredictable and thus safer against these attacks. Despite this, many people use regular words as their password because it’s easier to remember.

Using an obscure word won’t help — a hacker can scour all the dictionaries in the known universe in a matter of moments.

Mask attack

A mask attack reduces the workload of a brute force attack by including part of the password a hacker already knows in the attack. If a hacker knows your password has 10 characters, for example, they can filter the attack for passwords of only that length. 

Mask attacks can filter by specific words, numbers within a certain range, special characters the user prefers, or any other password characteristics the hacker is confident about. If any of your data is leaked, it makes you more vulnerable to a full-on breach.

Social engineering

Social engineering is a technique where criminals manipulate people into giving up compromising information. In the context of hacking, social engineering a password is when hackers trick someone into divulging their password details, such as by pretending to be tech support.

It’s often easier to gain someone’s trust than it is to gain access to their computer, especially if that person is not tech-savvy.

Cybercriminals can get your passwords through tech support scams or other grifts.Cybercriminals can get your passwords through tech support scams or other grifts.

Social engineering takes many forms, especially in the age of social media. Ever come across a quirky social media quiz asking you to enter your first pet and street to create a superhero name? A hacker may be trying to social engineer the answers to your password security questions.


Spidering is when hackers crawl a company’s social media accounts, marketing campaigns, or other corporate material to gather a word list for a brute force or dictionary attack. Spidering can become social engineering when hackers infiltrate businesses for physical handbooks and training manuals full of keywords.

By studying a business’s product, a hacker can glean corporate lingo, jargon, slogans, and other language to compile into a word list for cracking. Default company passwords commonly relate to a brand’s identity, and often remain unchanged.

Employees may choose passwords relating to their job since it’s easier to remember. With larger companies, spidering is especially effective since there is so much material to sift through. The chances are high that a password or two falls through the cracks and straight into a hacker’s web.

Shoulder surfing

Shoulder surfing is a social engineering technique of spying over someone’s shoulder as they enter login details. Shoulder surfing is a common way to discover ATM PINs, which is why most people are wary of their surroundings while taking out money.

But hackers can also shoulder surf your email for password cracking intel, or watch your keystrokes as you tap away at an internet cafe.

Shoulder surfers try to steal your passwords by spying on you.Shoulder surfers try to steal your passwords by spying on you.

Offline cracking

Offline cracking is when hackers transfer hashed passwords offline to crack them more safely and efficiently. Online attacks are vulnerable to discovery, can trigger a lockout after too many attempts, and are hampered by a network’s speed. With offline cracking, a hacker is invisible, can attempt infinite logins, and is limited only by their own computer power.

Hashed passwords can be taken directly from a database by tried-and-true hacker techniques such as SQL injection. If a hacker gains administrator privileges, it’s game over for all the passwords on the admin’s system. Learning how to password-protect files and folders can save admins from a disastrous password breach.

Password guessing

When all else fails, cybercriminals can collaborate as an effective password-guessing collective. A hacker hivemind is far superior to a single human’s powers of memory. 

In today’s global network, it takes only a few clicks and a little know-how to get details on any internet user. And with modern password cracking tools and tech at their fingertips, it’s only a matter of time before a patient password guesser cracks an unsecure password.

Password cracking tools

Along with a slew of techniques and computer programs, hackers can use powerful password tools to seize raw user data for cracking purposes. Any identifying information is valuable to a hacker. 

A wily cybercriminal can put the pieces together like a jigsaw puzzle and then get cracking. Hacker communities share hashed passwords, user profiles, credit card numbers, and other lucrative material on the dark web. A dark web scan can show you if your information is up for grabs.

If your credentials leak in a data breach, they may end up on the dark web.If your credentials leak in a data breach, they may end up on the dark web.

Network analysers

A network analyzer can inspect and analyze a network’s traffic, including network packets with valuable user data inside. Malware can install an analyzer to spy on data travelling across a network, or someone with physical access to a network switch can plug a network analyzer into it. 

Network analysers are a dangerous modern password hacking tool, since they don’t rely on exploits or security flaws in a network. After a network analyzer sniffs out the packets, a packet capturing tool can steal the payload of passwords inside.

Packet capturing

A packet capturing tool can act as a sniffer for the packets of data moving across a network. One part of a packet is the origin and destination, while the other part is the actual data it is carrying, such as passwords. 

By “eavesdropping” on packets and logging the information inside, hackers can build profiles of potential victims — over time, amassing a trove of password cracking data. They’ll sell this information to the highest bidder, trade it with one another, or just release the information for free in massive data leaks.

With tech companies and other third parties collecting so much data, password crackers can pluck your private details out of the air. Your best bet is rival technology that can fight back and can keep your data away from hacker hands, such as a secure browser with anti-tracking tech.

Protect your most sensitive data with Avast BreachGuard

If a website you frequent is hacked, it doesn’t matter how careful you’ve been with your passwords and other private details. Big Tech, data brokers, and other third parties collect your personal info, while hackers wait around, looking for any chance to strike. 

Avast BreachGuard can stop companies from selling your data, monitor your passwords to keep them strong, and alert you in the event of a breach. Keep your data safe — get Avast BreachGuard today and put your personal info behind a private security shield.

By: Domenic Molinaro