Password Security 101: How Hackers Actually Crack Passwords

The most common password in 2025 was "123456." It has held that position for nearly a decade. The second most common was "password." Third place: "123456789." These passwords are cracked in less than one second — not because hackers are brilliant, but because they try the obvious things first and millions of people make it that easy.

But even people who think they have strong passwords are often wrong. "P@ssw0rd!" looks complex — uppercase, lowercase, number, special character, nine characters. A password cracker running on a modern GPU tries it within the first few minutes, because substituting @ for a and 0 for o is one of the first patterns attackers test. Perceived complexity and actual security are very different things.

Understanding how passwords get cracked is the foundation for protecting yourself. Not with fear, but with specific knowledge about what works and what does not.

How Passwords Get Stored (and Stolen)

When you create an account, a properly built website does not store your actual password. It stores a hash — a one-way mathematical transformation. Your password "correct-horse-battery-staple" becomes something like a7f5f35426b927411fc9231b56382173. The hash cannot be reversed back to the original password mathematically. When you log in, the site hashes whatever you type and compares the hash, not the password itself.

The problem starts when a company's database gets breached. Attackers steal millions of hashed passwords and then try to reverse them — not mathematically, but by trying enormous numbers of guesses, hashing each one, and checking for matches.

A Hash Generator shows this process in action. Type a word, see the hash. Type it again — same hash every time. Change one character — completely different hash. This one-way, deterministic property is what makes hashing useful for password storage and what makes it vulnerable to guessing attacks.

Not all hashing algorithms are equal

Older sites stored passwords using MD5 or SHA-1, which are fast hashing algorithms — designed for speed. A modern GPU can compute 10 billion MD5 hashes per second. That means an attacker can test 10 billion password guesses per second against an MD5-hashed database.

Modern password hashing uses algorithms designed to be slow: bcrypt, scrypt, and Argon2. These deliberately take hundreds of milliseconds per hash, making brute-force attacks millions of times slower. A single bcrypt hash might take 200ms — barely noticeable when you log in, but devastating when an attacker needs to test billions of guesses.

The Hash Identifier can tell you what algorithm was used for a given hash string. If you ever see a leaked hash and want to understand its strength (or weakness), this is the first step.

Attack Method 1: Brute Force

The simplest attack: try every possible combination. Start with "a", then "b", then "c", all the way to "z", then "aa", "ab", "ac", and so on until something matches.

Why password length matters more than complexity

The math is exponential. For a password using lowercase letters only (26 characters):

• 6 characters: 26^6 = 308 million combinations. At 10 billion hashes/second (MD5), cracked in 0.03 seconds.
• 8 characters: 26^8 = 208 billion combinations. Cracked in 21 seconds.
• 10 characters: 26^10 = 141 trillion combinations. Cracked in about 4 hours.
• 12 characters: 26^12 = 95 quadrillion combinations. Cracked in about 110 days.

Adding uppercase, numbers, and symbols increases the character set from 26 to roughly 95. But adding two more characters to a lowercase-only password increases the keyspace more than switching from lowercase to full complexity at the same length.

This is why NIST's current guidelines (SP 800-63B) recommend minimum 8 characters and emphasize length over complexity. A 16-character lowercase passphrase like "orange-carpet-river-moon" is dramatically harder to brute-force than an 8-character complex password like "K7$mP2!x".

Attack Method 2: Dictionary Attacks

Attackers do not start with brute force. They start with dictionaries: lists of common passwords, English words, names, dates, and known leaked passwords. The rockyou.txt wordlist — from a 2009 breach — contains 14 million passwords and is still the starting point for most attacks.

Rules-based dictionary attacks

Modern crackers apply transformation rules to dictionary words:

• Capitalize the first letter: password → Password
• Append numbers: password → password123
• Common substitutions: password → p@$$w0rd
• Append year: password → password2026
• Reverse: password → drowssap
• Combine two words: password + monkey → passwordmonkey

A dictionary of 100,000 words with 100 transformation rules gives 10 million guesses — tested in about a second against fast hashes. This is why "P@ssw0rd2026!" is not nearly as strong as it looks. The base word is in every dictionary, and the transformations are predictable.

Attack Method 3: Credential Stuffing

When a database breach leaks email-password pairs, attackers take those credentials and try them on other sites. If you use the same email and password for your email, bank, and shopping accounts, one breach compromises all three.

This is not theoretical. The 2024 "Mother of All Breaches" compilation contained 26 billion records from previous leaks. Credential stuffing attacks run these massive lists against popular services automatically, 24/7.

The defense is straightforward: never reuse passwords. Every account gets a unique, random password stored in a password manager. The Password Generator creates random passwords of any length and complexity. Generate a unique one for each account — you do not need to memorize them if a password manager stores them.

Attack Method 4: Rainbow Tables

A rainbow table is a precomputed lookup: hash → password for millions or billions of common passwords. Instead of hashing each guess on the fly, the attacker looks up the stolen hash in the table and instantly finds the matching password.

Rainbow tables are enormous (terabytes for full coverage) but they trade storage space for computation time. A lookup that would take hours of brute-force computation takes milliseconds with a rainbow table.

The defense: salting

A salt is random data added to the password before hashing. Instead of hashing "password" directly, the system hashes "a8f3k2password" where "a8f3k2" is a unique salt stored alongside the hash. Even if two users have the same password, their hashes are different because their salts are different. This makes rainbow tables useless — the attacker would need a separate rainbow table for every possible salt value.

Every modern password hashing system uses salts. bcrypt, scrypt, and Argon2 all include automatic salt generation. If a site stores passwords with unsalted hashes, it is using dangerously outdated practices.

Attack Method 5: Social Engineering and Phishing

The most effective attack bypasses password cracking entirely. A well-crafted phishing email that looks like it is from your bank, employer, or a service you use can trick you into entering your credentials on a fake login page. No amount of password complexity helps if you type your password into the attacker's website.

Phishing attacks are increasingly sophisticated. They use real company logos, legitimate-looking domains (g00gle.com, paypa1.com), and urgent language ("Your account will be suspended in 24 hours"). The defense is two-factor authentication — even if the attacker captures your password, they cannot log in without the second factor.

Defense 1: Length Over Complexity

Based on the attack methods above, the password strategy that works:

• For accounts you type manually (phone, laptop login): Use a passphrase — four or more random words separated by dashes. "correct-horse-battery-staple" is 28 characters. At brute-force speeds against bcrypt, it would take longer than the age of the universe to crack.
• For everything else: Use a password manager and generate random 20+ character passwords. You never type these — the manager fills them in automatically.

Defense 2: Unique Passwords for Every Account

This defeats credential stuffing completely. If every account has a different password, breaching one service does not compromise others. A Password Generator makes this practical — generate, save to manager, forget about it.

Defense 3: Two-Factor Authentication (2FA)

2FA adds a second verification step: something you know (password) plus something you have (phone, hardware key). Even if your password is stolen, the attacker needs physical access to your second factor.

Types of 2FA, ranked by security

1. Hardware security keys (FIDO2/WebAuthn): YubiKey, Google Titan. Phishing-resistant because the key cryptographically verifies the website's identity. This is the strongest option.
2. Authenticator apps (TOTP): Google Authenticator, Authy, 1Password. Generate a time-based six-digit code that changes every 30 seconds. Resistant to most attacks but vulnerable to sophisticated real-time phishing.
3. SMS codes: A code sent to your phone number. Better than nothing, but vulnerable to SIM swapping attacks where the attacker convinces your carrier to transfer your number to their SIM card.

The TOTP Generator demonstrates how time-based one-time passwords work. Enter a secret key and see the six-digit code that changes every 30 seconds. Understanding the mechanism helps you troubleshoot when 2FA codes do not work (usually a clock sync issue between your device and the server).

Historical Perspective: The Caesar Cipher

Before modern cryptography, encryption was simple substitution. The Caesar cipher — used by Julius Caesar around 50 BC — shifts each letter by a fixed number. With a shift of 3, "A" becomes "D," "B" becomes "E," and so on. The word "ATTACK" becomes "DWWDFN."

With only 25 possible shifts, a Caesar cipher is crackable by hand in minutes. But the principle — transforming readable data into unreadable data using a key — is the same principle behind modern encryption. The difference is scale: 25 possible keys vs. 2^256 possible keys in modern AES encryption.

The Caesar Cipher tool lets you experiment with this historic encryption method. It is a teaching tool — shift text, see the result, try to crack messages — that builds intuition about why modern encryption needs astronomically large key spaces.

Password Cracking Speed: The Numbers

Password Type	Example	Time to Crack (MD5)	Time to Crack (bcrypt)
6 chars, lowercase	monkey	< 1 second	~1 hour
8 chars, mixed case + number	Tr0uble1	~2 minutes	~6 years
8 chars, common substitutions	P@ssw0rd	< 1 second (in dictionary)	< 1 second (in dictionary)
12 chars, random	kX7$mP2!qR4n	~34,000 years	Centuries
4-word passphrase	correct-horse-battery	~550 years (dictionary)	Millennia
20 chars, random	aK7$mP2!qR4nXw9@Lp3j	Longer than age of universe	Longer than age of universe

Note: "P@ssw0rd" falls to a dictionary attack in under a second regardless of hashing algorithm, because it is one of the most common password patterns. The cracking time assumes brute-force only. In practice, attackers use dictionaries first, which is why common passwords are the weakest regardless of their apparent complexity.

Frequently Asked Questions

Do I really need a different password for every account?

Yes. Credential stuffing attacks automate testing leaked passwords across thousands of sites. If you reuse a password and any one of those services gets breached, all your accounts using that password are compromised. A password manager makes unique passwords practical.

Is a passphrase really stronger than a complex short password?

Mathematically, yes — if the words are randomly selected. "correct-horse-battery-staple" has more entropy than "K7$mP2!x" despite being all lowercase letters. The key is that the words must be randomly chosen, not a meaningful phrase like "i-love-my-dog" which is predictable.

Are password managers safe? What if they get hacked?

Reputable password managers (1Password, Bitwarden, KeePass) encrypt your vault with your master password using algorithms that would take millions of years to brute-force. The LastPass breach in 2022 exposed encrypted vaults, but users with strong master passwords remained protected. The risk of a password manager breach is real but dramatically smaller than the risk of reusing passwords across sites.

Should I change my passwords regularly?

NIST no longer recommends periodic password changes. Forced rotation leads to weaker passwords (people just increment a number) and provides minimal security benefit if the original password was strong. Change a password only when you have reason to believe it has been compromised — after a service announces a breach, for example.

Security Tools

• Password Generator — create strong, random passwords of any length and complexity
• Hash Generator — see how password hashing works with MD5, SHA-256, and more
• Hash Identifier — identify which hashing algorithm produced a given hash string
• Caesar Cipher — explore historical encryption with shift-based substitution
• TOTP Generator — understand time-based one-time passwords for two-factor authentication

For deeper coverage of cryptographic concepts, see the Classical Ciphers and Cryptography History guide. For more on password strength specifically, the Science of Password Strength covers NIST guidelines, entropy calculations, and the math behind cracking times.