Cracking a password may seem like a next to impossible task, but you’d be surprised how easy it can be. There are dozens of password cracking programs on the market, each with their own special recipe, but they all basically do one of two things: create variations from a dictionary of known common passwords or attempt every possible combination using a method called a brute force attack. Let’s look at how each technique works and how to protect against them.

It’s important to understand at the outset, that professional password crackers aren’t looking to log in to your PayPal account. That process is slow to begin with, and most services will lock out repeated login attempts anyway. Rather, the pros work against password files that they download from breached servers. These files are usually easy to access from the root level of most server operating systems or are maintained by individual applications. These files may be protected with weak encryption algorithms, which are not much of an impediment to the determined hacker.

Once criminals obtain a password list they can take as many shots as they like to break it. Their goal generally isn’t to crack an individual password, but to run tests against the entire file, knocking down their targets one by one. Modern graphics hardware makes this incredibly fast. For example, some commercial products can test trillions of passwords per second on a standard desktop computer using a high-end graphics processor.

This table of password recovery speeds is truly scary. It shows that a seven-character password composed of upper and lower case letters and digits has 3.5 trillion permutations. While that may sound like a lot, today’s speedy desktop computers can test all of them in an hour or two. An engineering workstation, or several PCs strung together, can finish the task in 10 seconds.

Let’s look at the two most common password-cracking techniques.  

Dictionary Crack

This technique uses lists of known passwords, word list substitution and pattern checking to find commonly used passwords, or those that are discoverable with a bit of personal information. It isn’t difficult to find lists of compromised passwords. Sites like publish them, and much large lists are available on the dark web at little cost. A criminal can probably unlock 10% to 20% of a password file using just the 10,000 most common passwords. In fact, it has been estimated that about 75% of online adults have used one or more of the 500 most popular passwords.

After decrypting the password file, a dictionary attack uses text strings and variations thereof to test different combinations. For example, many people append numbers to their names or user names, which may be stored in plain text. If a user named Robert has the password “Robert123,” a dictionary attack will figure that out in seconds. The software simply cycles through every possible combination to identify the ones that work.

If a little information is known about people in the database, the job is even easier. For example, people frequently use the names of children, addresses, phone numbers, sports teams and birthdays as passwords, either alone or in combination with other characters. Since most people append characters to the end of the password, it’s easy for dictionary cracks to cycle through all of those likely possibilities. Social media is an attacker’s dream. People freely post personal information in their profiles or tweet repeatedly about the sports teams or celebrities they follow. These are natural paths for a dictionary crack to pursue.


Brute Force Crack

This is just what it sounds like: a technique to reveal those stubborn passwords that can’t be unlocked by a dictionary. Today’s multi-core processors and graphics processing units have made brute force tactics more practical than they used to be. Machines that can be purchased for less than $1,000 are capable of testing billions of passwords per second. Short passwords are easiest to guess, so attackers typically use brute force tactics to unscramble the five- and six-character passwords that didn’t yield to the dictionary approach, a process that might only take a few hours. For longer passwords, brute force and dictionary techniques may be combined to narrow the realm of possible combinations. Some brute force cracking software also uses rainbow tables, which are lists of known codes that can sometimes be helpful in reverse-engineering encrypted text.

How vulnerable are password files to brute force attacks? In 2013 the tech news site Ars Technica gave an editor who had no experience with password cracking a list of 16,000 encrypted passcodes and challenged him to break as many as possible. Within a few hours, he had deciphered nearly half of them. The same list was then given to some skilled hackers, one of whom cracked 90% of the codes in about 20 hours.


Some Good News and Some Bad News

If some of the statistics cited above are intimidating, rest easy. The biggest problem with password protection is that many people don’t use strong passwords. The laws of mathematics dictate that longer passwords are harder to break than short ones, and passwords that contain random combinations of characters are more secure than those that conform to a known pattern. A 13-digit password that mixes alphanumeric characters and punctuation systems is considered impractical to break with today’s technology.

Unfortunately, few people can remember a random 13-digit string of characters, much less multiple strings for different logins. Equally unfortunate – from a security perspective – is that computers are getting faster and cracking algorithms are getting better. Five years ago, an eight-digit password was considered strong enough. Five years from now, 18 digits may be too weak.

This is where password management software is valuable. Password managers store passwords of any length and can regularly generate new passwords without the user having to bother to remember them. They can also be protected by two-factor authentication, which is considered to be almost unbreakable in any context.

By the way, in case you’re wondering why password-cracking programs aren’t illegal, it’s because there are perfectly valid and legal reasons to use them. Security professionals employ these tools to test the strength of their own software, and password crackers are widely used by law enforcement agencies to fight crime. As with any technology, these tools can be used for evil, as well as for good.