Updated on November 14, 2022.
Password cracking is using programs and tools to retrieve passwords stored in a computer system or sent via a network. Cracking a password may seem like a next-to-impossible task, but you’d be surprised how easy it can be. Read on to learn how password cracking works, the techniques used and how to keep yourself protected.
How Password Cracking Works
There are dozens of password-cracking programs on the market, each with its own special recipe, but they all basically do one of two things: create variations from a dictionary of commonly-known passwords, or attempt every possible combination using a method called a brute force attack.
It’s important to understand at the outset that professional password crackers aren’t looking to log in to your PayPal account. That process is slow to begin with, and most services will lock out repeated login attempts anyway. Rather, the pros work against password files that they download from breached servers. Password files are what store the essential information that you need during login such as your account information. These files are usually easy to access from the root level of most server operating systems or are maintained by individual applications. The files may be protected with weak encryption algorithms, which are not much of a roadblock to the determined cybercriminal.
Once criminals obtain a password list, they can take as many shots as they like to break it. Their goal generally isn’t to crack an individual password, but to run tests against the entire file, knocking down their targets one by one. Modern graphics hardware makes this incredibly fast. For example, some commercial products can test trillions of passwords per second on a standard desktop computer using a high-end graphics processor.
Password Cracking Techniques
Here are two of the most common password-cracking techniques.
A dictionary crack is a technique that uses lists of known passwords, word list substitution and pattern checking to find commonly used passwords. It isn’t difficult to find lists of compromised passwords. Certain websites publish them and lists are available on the dark web at little cost.
After decrypting the password file, a dictionary attack uses text strings and variations to test different combinations. For example, many people append numbers to their names or usernames, which may be stored in plain text. If a user named Robert has the password “Robert123,” a dictionary attack will figure it out in seconds. The software simply cycles through every possible combination to identify the ones that work.
If little information is known about people in the database, the job is even easier. For example, people frequently use the names of children, addresses, phone numbers, sports teams and birthdays as passwords, either alone or in combination with other characters. Since most people append characters to the end of the password, it’s easy for dictionary cracks to cycle through all of those likely possibilities.
Social media is an attacker’s dream. People freely post personal information on their profiles or tweet repeatedly about the sports teams or celebrities they follow. These are natural paths for a dictionary crack to pursue.
Brute Force Crack
A brute force crack is just what it sounds like – a technique to reveal those stubborn passwords that can’t be unlocked by a dictionary. Today’s multi-core processors and graphics processing units have made brute force tactics more practical than they used to be.
Machines that can be purchased for less than $1,000 are capable of testing billions of passwords per second. Short passwords are easiest to guess, so attackers typically use brute force tactics to unscramble the five- and six-character passwords that didn’t yield to the dictionary approach, a process that might only take a few hours.
For longer passwords, brute force and dictionary techniques may be combined to narrow the realm of possible combinations. Some brute force cracking software also uses rainbow tables, which are lists of known codes that can sometimes be helpful in reverse-engineering encrypted text.
Is Password Cracking Illegal?
Using password cracking for one’s own password is not illegal if you operate with local data that is in your possession, have permission from the rightful owner, are acting as an agent of the law and abide by local laws. On the other hand, cracking someone else’s password may be illegal, but it’s a gray area.
Password-cracking programs also aren’t illegal because there are perfectly valid and legal reasons to use them. Security professionals employ these tools to test the strength of their own passwords, and password crackers are widely used by law enforcement agencies to fight crime. As with any technology, these tools can be used for evil, as well as for good.
Stay Protected Against Password Cracking
The biggest problem with password protection is that many people don’t use strong passwords. When it comes to creating passwords, longer passwords are harder to break than short ones and passwords that contain random combinations of characters are more secure than those that conform to a known pattern. A 13-digit password that mixes alphanumeric characters and punctuation symbols is considered impractical to break with today’s technology.
Unfortunately, few people can remember a random 13-digit string of characters, much less multiple strings for different logins. Equally unfortunate – from a security perspective – computers are getting faster and cracking passwords even easier. Five years ago, an eight-digit password was considered strong enough. Five years from now, 18 digits may be too weak.
This is where a password management solution is valuable. Password managers such as Keeper allow you to store passwords, files and more. Keeper can also generate new strong, unique passwords and store them in your vault. Once stored in your vault, your passwords are secured and the only way you’ll be able to access them is with your master password. Password managers can also be protected by two-factor authentication (2FA), which is considered to be almost unbreakable in any context and it’s strongly recommended that you implement it.
Protect yourself against password cracking – start your free trial of Keeper today.