What Is Password Cracking? Security Definition
Also known as: password cracking, brute force attack, dictionary attack, hashcat, john the ripper
On This Page
Quick Definition
Password cracking is when someone tries to guess or figure out a password that they do not know. This is done using special tools that try many possible passwords very quickly until the correct one is found. It is a common technique used by hackers to break into accounts, and also by security professionals to test how strong a password is.
Must Know for Exams
Password cracking appears prominently in the EC-Council Certified Ethical Hacker (CEH) exam, as well as in other security exams like CompTIA Security+ and CISSP. In the CEH exam, password cracking is part of the System Hacking phase, which is one of the core modules. The exam expects candidates to know the different types of password cracking attacks, the tools used, and the countermeasures. Specifically, CEH exam objectives include understanding brute force attacks, dictionary attacks, rainbow table attacks, and hybrid attacks. Candidates must be able to identify which attack method is most efficient in a given scenario. For example, if a question describes an organization using short, simple passwords, the correct answer is likely a dictionary attack. If the organization uses long, random passwords but stored them unsalted with MD5, then a brute force attack with a fast hash might be appropriate.
In the CompTIA Security+ exam, password cracking is covered under attacks and vulnerabilities. Candidates need to understand how password cracking fits into the larger picture of authentication attacks. They must know the difference between online and offline attacks, and how salting defends against rainbow tables. Security+ questions often present a scenario where a company has a password policy requiring at least 8 characters but no complexity, and then asks which attack is most likely to succeed. The CISSP exam includes password cracking in the domain of Identity and Access Management. It covers topics like password entropy, the strength of different hash algorithms, and the use of password managers. CISSP questions are more conceptual, focusing on policy and risk management implications of password cracking.
Across all these exams, there are common question patterns. One type gives a hash file and asks which tool should be used to crack it. The answer is often Hashcat or John the Ripper. Another type describes an attacker who obtains a database of salted hashes and then asks which attack is now ineffective. The answer is rainbow tables. A third type asks what countermeasure best prevents offline password cracking. The correct answer is using a strong, adaptive hashing algorithm like bcrypt. Exams also test the concept of key stretching, where a hash is computed many times to slow down cracking. Candidates must be able to explain why longer passwords and salts are effective. Knowing these exam-specific details is crucial because many students have the technical knowledge but get tripped up by the specific wording of exam questions. For instance, an exam might ask about an online brute force attack, which is mitigated by account lockout, versus an offline attack, which requires salted hashes. Understanding the context of the question is as important as knowing the definition.
Simple Meaning
Think of a password like a lock on a door. The correct password is the key that opens that lock. Password cracking is like finding the key without knowing it. Imagine you have a lock with a three-digit combination code.
You could try every number from 000 to 999 until the lock opens. That is the simplest form of password cracking, called a brute force attack, because you force your way through every possibility. Now imagine a real password is not three digits but often eight or more characters, including letters, numbers, and symbols.
Trying every combination would take too long even for a computer. So hackers use smarter methods. They might use a dictionary attack, which is like having a big list of commonly used keys and trying only those.
Many people use weak passwords like password123 or their pet's name. A dictionary attack tries those first. Another technique uses rules to change words, like adding a number at the end or capitalizing the first letter.
This is like having a master key set that can open many locks because the locks are all similar. Hackers also use rainbow tables, which are precomputed lists that map possible passwords to their encrypted versions. If a hacker steals a list of encrypted passwords, they can compare them against the rainbow table to find matches quickly.
Password cracking is not always malicious. Security professionals, called penetration testers, use password cracking to test an organization's security. They try to crack passwords to prove that the passwords are too weak.
This helps the organization enforce stronger password policies. The core idea is that every password can eventually be cracked given enough time and computing power. The goal of good security is to make it take so long that it is not worth the attacker's effort.
The time required depends on the length, complexity, and randomness of the password, as well as the tools used to crack it. For a password like a random string of 20 characters, even a powerful computer could take billions of years.
Full Technical Definition
Password cracking refers to the process of recovering plaintext passwords from their hashed or encrypted representations, or by directly guessing passwords against a login system. In IT environments, passwords are rarely stored as plaintext. Instead, systems store a cryptographic hash of the password. For example, when you create a password, the system runs it through a hash function like SHA-256 or bcrypt to produce a fixed-size string. When you log in, the system hashes your input and compares it to the stored hash. If they match, access is granted. Password cracking tools attempt to find a password that, when hashed, produces the same stored hash.
There are several primary methods. Brute force attacks iterate through every possible combination of characters until the correct hash is found. Given a keyspace of 95 printable ASCII characters for an 8-character password, there are 95^8 possible combinations, roughly 6.6 quadrillion possibilities. Modern GPUs can attempt billions of hashes per second, but this method quickly becomes impractical for passwords longer than 10 characters. Dictionary attacks use a precompiled wordlist of common passwords, phrases, and patterns. The tool hashes each word and compares it to the target hash. This is much faster than brute force and effective against weak passwords. Hybrid attacks extend dictionary attacks by appending or prepending characters to each word, such as password1, Password!, or p@ssw0rd.
Rainbow tables are a time-memory trade-off technique. They are precomputed tables that store the output of hash chains for a given keyspace. Instead of computing the hash for each guess in real time, the cracker looks up the hash in the table, which maps to a possible plaintext. This method is extremely fast but requires significant storage space, and it is ineffective against salted hashes. Salting is the practice of adding a random value, called a salt, to each password before hashing. This ensures that even if two users have the same password, their hashes are different. Rainbow tables become useless against salted hashes because each unique salt would require a separate table.
In enterprise environments, password cracking is often performed using tools like Hashcat or John the Ripper running on powerful GPU clusters. Security assessments may involve cracking password hashes extracted from a compromised domain controller or database. Administrators use these results to enforce password complexity rules and to identify accounts that use weak or reused passwords. The effectiveness of a cracking attempt depends on the hash algorithm used. Fast hashes like MD5 and NTLM are vulnerable to high-speed cracking. Slower, adaptive algorithms like bcrypt, scrypt, and Argon2 are designed to be computationally expensive, deliberately slowing down each guess and making cracking impractical even for moderately strong passwords.
Real-world implementations also involve online password cracking against live services. This method is slower because each guess requires a network request and the system may lock accounts after a few failed attempts. Attackers may combine password cracking with other techniques like credential stuffing, where they use previously cracked credentials from one breach to log into other services where users have reused the same password.
Real-Life Example
Imagine you work in a large office building. Every employee has a badge that opens the main entrance door. However, the badges are simple and all use the same four-digit PIN number printed on the back. If someone loses their badge, anyone who finds it can enter the building. Now suppose a security guard wants to test whether the system is safe. The guard decides to try every possible four-digit number on a badge reader to see if it unlocks the door. There are only 10,000 possible combinations from 0000 to 9999. The guard could stand there and try each one manually. This would take hours, but it could be done. This is like a brute force attack on a system with a short password.
Now imagine a smarter approach. The guard notices that many employees set their PIN to their birthday month and day, like 0421 for April 21st. The guard collects a list of common dates and tries only those. This is like a dictionary attack. The guard can open many doors quickly without trying all 10,000 numbers. If the building upgrades its system to require a six-digit PIN, the number of possibilities jumps to one million. A brute force attack now takes much longer. But if the guard uses a list of the most common six-digit numbers like 123456 or 000000, they can still break in quickly. This is why password policies require longer and less predictable passwords.
Finally, let us say the building installs a new reader that uses two steps. First, the badge must be presented, and then a random six-digit code is sent to the employee's phone as a one-time code. Even if the guard cracks the original PIN, they still cannot enter because they need the code from the phone. This is like two-factor authentication, which makes password cracking much harder even if the password is known. The analogy shows that password cracking methods are all about exploiting patterns, short lengths, and missing layers of security. The lesson is that adding length, randomness, and extra authentication factors forces the cracker to work much harder, often beyond what is practical.
Why This Term Matters
Password cracking matters deeply because passwords remain the most common authentication method across all IT systems, from email accounts to corporate networks and cloud infrastructure. Even with advances in biometrics and multi-factor authentication, passwords are still the first line of defense. If an attacker cracks a single password, they can gain access to sensitive data, email, financial systems, or even the entire network. For a security professional, understanding how password cracking works is essential to protecting an organization. If you do not know how easily a weak password can be cracked, you cannot enforce effective password policies.
In real IT work, system administrators and security teams regularly perform password cracking assessments. They use the same tools that attackers use to test the strength of their own users' passwords. This is a standard part of compliance requirements like PCI-DSS, HIPAA, and ISO 27001. These audits require that passwords are resistant to brute force attacks. Without cracking assessments, organizations may falsely believe their passwords are strong. Many breaches happen because of weak or reused passwords. In 2023, the Verizon Data Breach Investigations Report found that the human element, including weak passwords, was involved in over 80% of breaches. Password cracking is also central to incident response. When a breach is discovered, investigators often need to crack passwords to determine the extent of compromised accounts. They may recover plaintext passwords from hashed databases to understand what other systems an attacker might have accessed.
From a defensive perspective, password cracking informs technical controls. Knowledge of cracking speeds and techniques determines lockout policies, password expiration intervals, and minimum length requirements. For example, knowing that a modern GPU can try 100 billion NTLM hashes per second means an 8-character password can be cracked in under an hour. Therefore, a responsible policy might require passwords of at least 12 characters. Additionally, password cracking techniques like rainbow tables led to the widespread adoption of salted hashes, which are now standard in every modern system. Understanding password cracking also helps professionals explain the importance of password managers to users. Instead of relying on memory for complex unique passwords, a password manager creates and stores random passwords that are immune to dictionary attacks. In summary, password cracking is not just a hacker's tool; it is a critical skill for any IT professional who wants to build secure systems.
How It Appears in Exam Questions
Exam questions about password cracking come in several standard formats. One common type is the scenario question. The exam presents a short story: a company has recently discovered that an attacker accessed their database and stole a file of hashed passwords. The passwords were hashed with MD5 and no salt. The question then asks what type of attack the attacker is most likely to use to recover the passwords. The correct answer is a rainbow table attack because MD5 is fast and unsalted. Distractors might include phishing or keylogging since those are also password-related attacks, but they do not fit the offline hash cracking context.
Another frequent question type is the tool identification question. The exam shows a command line snippet using a tool like hashcat or John the Ripper and asks what the command does. For example, a command like hashcat -m 1000 -a 0 hash.txt wordlist.txt tells you the attack mode is dictionary (mode 0) against NTLM hashes (mode 1000). The question might ask what attack is being performed. Answer: dictionary attack. Or the question might ask what the -a 0 flag means. Answer: attack mode for dictionary. These questions test practical tool knowledge.
Troubleshooting questions appear as well. A system administrator notices that after implementing a new password policy requiring 15-character passwords, the account lockout policy is still being triggered frequently. The question asks what is the most likely cause. The answer is that users are writing down their passwords or using password managers incorrectly, but the lockout policy is actually preventing online brute force attacks. This tests the understanding that online attacks are mitigated by lockout, not by password length alone. Architecture questions may ask about designing a secure authentication system. The question describes a web application and asks which hashing algorithm should be used for storing passwords. The answer is bcrypt because it is slow and includes a salt. The distractors might be MD5 or SHA-1 because they are more familiar but insecure for passwords.
Another pattern is the mixed question where the exam gives a list of password types and asks which one is most resistant to cracking. The options might be Password123, 12345678, a random 10-character mixed string, or MyD0g!sFluffy. The correct answer is the random string because it has high entropy and is not in any dictionary. The common mistake is to choose a phrase that looks complex but is actually a known phrase with substitutions that rules-based attacks can crack. For example, MyD0g!sFluffy is a variation of my dog is fluffy, which a smart dictionary attack can guess. The question teaches that password cracking tools can apply common substitution rules.
Finally, some questions test the concept of hash collision or preimage resistance. They might ask why a password cannot be reversed from a hash. The answer is that a hash is a one-way function, meaning it is computationally infeasible to invert, so attackers must guess inputs and compare hashes. Knowing how these question patterns work helps learners study more efficiently. Instead of memorizing facts in isolation, they learn to apply the concepts to realistic exam scenarios.
Study ec-ceh
Test your understanding with exam-style practice questions.
Example Scenario
A small company, GreenLeaf Services, uses a cloud-based email system for all employees. The IT department stores user passwords as simple MD5 hashes without any salt. An employee named Sarah uses the password Sunshine2020. One day, a hacker breaches the cloud provider's database and steals the file containing all the hashed passwords. The hacker now has a list of hash values but not the original passwords. The hacker uses a tool called Hashcat with a dictionary of common passwords found on the internet. In the dictionary, the word sunshine appears. The tool tries sunshine, Sunshine, Sunshine1, and finally Sunshine2020. When the tool hashes Sunshine2020 with MD5, the resulting hash matches Sarah's stored hash. The hacker now knows Sarah's password. Using that password, the hacker logs into Sarah's email account, finds confidential client contracts, and demands a ransom.
How does password cracking apply here? The hacker performed an offline dictionary attack on the stolen hash file. Because the passwords were unsalted, the same password used by any other employee would produce the same hash, allowing the hacker to crack multiple accounts at once. If GreenLeaf had used a strong hashing algorithm like bcrypt with a unique salt for each user, the same attack would take billions of years per password. This scenario shows why modern systems must use salted, slow hashes. It also shows that even an 11-character password like Sunshine2020 can be cracked quickly if it is based on a common word and a predictable pattern. The scenario highlights that protecting the hash file is critical, but even if it is stolen, good password storage practices can make cracking useless. Sarah should have used a password manager to generate a random 16-character string.
Common Mistakes
Thinking that a strong hash algorithm alone makes password cracking impossible.
A strong hash algorithm like SHA-256 makes cracking slower, but if the password is weak, a dictionary attack will still find it quickly. The hash only protects against reversing; it does not make guessing any harder. Salting and hash strength are defenses, but the password itself is still the weakest link.
Always consider both the password complexity and the hashing method. A strong password with a weak hash is still vulnerable, and a weak password with a strong hash is also vulnerable. The best combination is a long, random password stored with a slow, salted hash like bcrypt.
Believing that using a mix of uppercase, lowercase, numbers, and special characters automatically makes a password uncrackable.
Many people replace letters with similar-looking characters, like p@ssw0rd. Password cracking tools have built-in rules that try these common substitutions. A password like P@ssw0rd! is still a dictionary word with predictable modifications. It can be cracked in minutes with a hybrid attack.
Instead of substituting characters in a common word, use a truly random string of characters, or use a passphrase of four or five random words. For example, correct horse battery staple is much stronger than Tr0ub4dor&3 because it is longer and not based on a single word.
Assuming that a longer password always prevents online brute force attacks.
Online attacks are limited by network speed and account lockout policies. A short, complex password is usually enough to prevent online cracking because the system will lock the account after a few failed attempts. However, the real danger is offline cracking if the hash file is stolen. In that case, length matters greatly, but online attacks are a different problem.
Distinguish between online and offline cracking. For online attacks, implement account lockout and multi-factor authentication. For offline protection, use long passwords and strong hashing. Do not confuse the two contexts.
Thinking that password cracking only succeeds if the attacker has a huge computing cluster.
While powerful GPUs help, many password cracking successes come from simple dictionary attacks using common passwords. A laptop running Hashcat can crack millions of weak passwords per second. The most common passwords like 123456 or password are found almost instantly. You do not need supercomputers to break weak passwords, just a small investment in free tools.
Assume that any password that is a common word, a simple pattern, or a known breach password can be cracked in seconds on ordinary hardware. Use a password manager to generate and store high-entropy passwords. Do not rely on the attacker's equipment being the limiting factor.
Exam Trap — Don't Get Fooled
An exam question states that an attacker stole a file of password hashes that were salted with a unique random value for each user. The question asks what attack method is most effective for cracking these hashes. Many learners choose rainbow tables because they think of tables as a fast cracking method.
Remember that rainbow tables are only effective against unsalted hashes. If the question mentions a salt, cross off rainbow tables immediately. The most effective method for salted hashes is a brute force or dictionary attack, where the attacker has to compute the hash for each guess with the salt included.
This forces the attacker to do the work in real time, which is slower but still feasible if the password is weak. For salted hashes, the attacker must use a wordlist and compute each hash on the fly. The takeaway: salting defeats precomputation attacks like rainbow tables.
Commonly Confused With
Password cracking tries many passwords for one account, while password spraying tries one common password against many accounts. Password spraying is slower but avoids account lockout because it does not trigger multiple failed attempts on a single account quickly.
A hacker tries the password Winter2024 on every employee account in a company. If one account uses that password, they get in. This is password spraying. Password cracking would take Sarah's account and try thousands of passwords until finding Sunshine2020.
Credential stuffing uses a list of known usernames and passwords from previous data breaches to try logging into other websites. It relies on password reuse, not on guessing or cracking. The attacker already has the password, just not for the target site.
A hacker obtains Alice's email and password from a breach of an old shopping site. The hacker then tries that same email and password on Gmail. If Alice reused the password, the hacker gets in. This is credential stuffing, not cracking.
Keylogging is a method of capturing keystrokes as the user types, including their password. It does not involve guessing or hashing. The attacker simply records what the user enters. Password cracking is about finding the password from a stored hash or through systematic guessing, not by spying during entry.
If a hacker installs a keylogger on Bob's computer, the hacker sees everything Bob types, including his password MyP@ss1. This is keylogging. Password cracking would mean the hacker already has the hash of Bob's password and tries to guess what it is.
Step-by-Step Breakdown
Obtain the hash file
The attacker must first gain access to the file where password hashes are stored. This often happens through a data breach, SQL injection, or exploiting a vulnerability in the system. Without the hashes, the attacker cannot perform an offline cracking attack. In a security test, the penetration tester extracts the hashes from a domain controller or database with proper authorization.
Identify the hash type
The attacker must determine which algorithm was used to create the hashes. Common types include MD5, SHA-1, SHA-256, NTLM, and bcrypt. Each algorithm has a different format and speed. Tools like Hashcat can auto-detect the hash type based on the hash string's length and prefix. Knowing the algorithm is essential for selecting the correct attack mode and optimizing performance.
Prepare a wordlist or rule set
The attacker selects a wordlist containing common passwords, phrases, and leaked passwords from previous breaches. RockYou.txt is a famous wordlist with over 14 million passwords. For hybrid attacks, the attacker also prepares rules that modify each word, such as appending numbers, capitalizing the first letter, or replacing letters with special characters. The quality of the wordlist directly affects the success rate.
Run the cracking tool
The attacker uses a tool like Hashcat or John the Ripper. The tool loads the hash file and the wordlist, then begins processing. For each word in the list, the tool applies any selected rules, hashes the result using the identified algorithm, and compares it to the target hash. If a match is found, the tool outputs the plaintext password. Speeds vary from millions to billions of hashes per second depending on the algorithm and hardware.
Analyze results and escalate
Once a password is cracked, the attacker records it. If the goal is to compromise a network, the attacker uses the cracked password to log into the corresponding account. They may then use that access to move laterally, escalate privileges, or extract more data. In a security assessment, the testers generate a report showing which passwords were cracked and recommend policy changes.
Practical Mini-Lesson
To understand password cracking in practice, you need to get your hands dirty with the tools and see how the process works on real data. Let us walk through a typical scenario using Hashcat, which is the industry standard for password cracking. First, you need a hash file. In a lab environment, you can create a simple text file with a few hashes generated from weak passwords. For example, using the MD5 algorithm, the password hello becomes an MD5 hash like 5d41402abc4b2a76b9719d911017c592. You put that hash in a file named hashes.txt. Now you need a wordlist. The rockyou.txt wordlist is freely available and contains millions of common passwords. You can download it from a trusted source.
When you run Hashcat, you must specify the hash type with the -m flag. For MD5, that is -m 0. You also set the attack mode with -a. For a straight dictionary attack, that is -a 0. Your command looks like: hashcat -m 0 -a 0 hashes.txt rockyou.txt. Hashcat will then read each word from rockyou.txt, compute its MD5 hash, and compare it to the hashes in your file. If hello is in rockyou.txt, Hashcat will find it almost instantly. You will see the output showing hello as the cracked password. This simple exercise demonstrates that any password in the dictionary is vulnerable. Now, let us say the password is Hello2. If Hello2 is not in rockyou.txt, a straight dictionary attack fails. But you can use a rules-based attack. Hashcat comes with built-in rules like best64.rule. These rules apply common transformations. For example, a rule might add the number 2 to the end of every word. Running hashcat -m 0 -a 0 hashes.txt rockyou.txt -r best64.rule would try hello2, and succeed if Hello2 is in the list after the rule appends 2. This is a hybrid attack.
What can go wrong? If the hash algorithm is slow like bcrypt, the same attack runs very slowly. A single GPU may only compute a few thousand bcrypt hashes per second, compared to billions for NTLM. This means a long wordlist could take days. In that case, you need more selective wordlists or specialized hardware. Another issue is that some systems use key stretching with thousands of iterations, making cracking even slower. Professionals need to know how to estimate the time required based on hash rate and wordlist size. They also must understand that password cracking is only part of a comprehensive security assessment. You should always combine it with social engineering tests and vulnerability scanning for a full picture. Configuring password policies is about making the cost of cracking exceed the attacker's budget. As a professional, you use cracking tools to prove to management that weak passwords are a real risk. You demonstrate that a password like Season2024 can be cracked in seconds, leading to better policy enforcement. The practical lesson is that password cracking is not magic. It is a systematic process of testing hypotheses against hash outputs. With the right tools and knowledge, you can identify the weakest accounts in your organization and protect them before an attacker does.
Memory Tip
Remember that every password is a key: short keys open fast, long keys take forever. Salt is like a unique lock for each user, and rainbow tables are like a master key ring that only works on identical locks.
Covered in These Exams
Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
Frequently Asked Questions
What is the difference between a dictionary attack and a brute force attack?
A dictionary attack uses a list of likely passwords, like common words or known leaked passwords. A brute force attack tries every possible combination of characters. Dictionary attacks are much faster, but they only work if the password is in the wordlist. Brute force attacks take longer but can eventually find any password.
Can password cracking be prevented entirely?
No, password cracking cannot be prevented entirely because any password can theoretically be guessed. However, you can make it impractical by using long, random passwords, strong hashing algorithms like bcrypt, and adding a unique salt per user. Also, using multi-factor authentication adds a second layer that protects even if the password is cracked.
Why is salting important for password storage?
Salting adds a unique random string to each password before hashing. This means that even if two users have the same password, their hashes will be different. It defeats rainbow tables and makes cracking much slower because each hash must be attacked individually with its own salt.
What tools are commonly used for password cracking in exams?
The most commonly tested tools are Hashcat and John the Ripper. Both are open-source and run on GPUs to accelerate cracking. In the CEH and Security+ exams, you may also see references to tools like Cain and Abel or Ophcrack, though they are less common now.
What is the strongest password hashing algorithm?
The strongest commonly used algorithms are bcrypt, scrypt, and Argon2. These are adaptive hash functions that are intentionally slow and include salts. They are designed to resist brute force attacks even on powerful hardware. Argon2 is the winner of the Password Hashing Competition and is considered the current best practice.
How long does it take to crack an 8-character password?
It depends on the algorithm and hardware. For a fast hash like NTLM, a modern GPU can crack an 8-character password in under an hour if it uses a simple character set. For a slow hash like bcrypt with high cost, the same password might take years. The key factor is the algorithm's speed and the password's complexity.
Summary
Password cracking is a core concept in cybersecurity that every IT certification learner must understand. It is the process of recovering unknown passwords by systematically guessing or comparing against stored hashes. The methods range from simple dictionary attacks that try common words to brute force attacks that exhaust every possible combination.
The effectiveness of these attacks depends heavily on the strength of the password itself, the hashing algorithm used, and whether a salt is present. Strong passwords that are long, random, and not based on dictionary words, combined with slow, salted hashing algorithms like bcrypt, make cracking computationally impractical. For certification exams, especially the EC-Council CEH and CompTIA Security+, you need to know the different attack types, the tools such as Hashcat and John the Ripper, and the countermeasures including account lockout policies and salting.
A common exam trap is to choose rainbow tables when a salt is present, so always check for salting. In real IT work, password cracking is used both by attackers and defenders. Security professionals use these same tools to test the resilience of their own systems and enforce stronger password policies.
Ultimately, password cracking highlights the importance of good password hygiene and layered security controls. As you prepare for your exams, focus on understanding the relationship between password entropy, hash speed, and cracking time. This knowledge will serve you both in passing the exam and in your career as a security professional.