How Hackers Crack Passwords — Methods, Tools & Defenses | PassGen
Every year, billions of credentials are exposed in data breaches. But a leaked hash isn't the same as a leaked password — attackers still need to crack the hash to get the plaintext. Understanding how they do it is the first step to making your passwords uncrackable.
1. Brute Force Attacks
The simplest approach: try every possible combination until one matches. A brute-force attack against a 6-character lowercase password (26^6 = ~309 million combinations) completes in under 0.5 seconds on a modern GPU.
The math is straightforward: keyspace = pool_size ^ length. Double the length and you square the keyspace. This is why a 16-character password with all character types (95^16 ≈ 4.4 × 10^31) would take billions of years even on a GPU cluster.
Defense
- Use passwords with 16+ characters and all character types
- Use our Crack Time Calculator to see exactly how long your password would resist brute force
2. Dictionary Attacks
Attackers maintain massive dictionaries — not just English words, but leaked passwords, common names, keyboard patterns, and l33tspeak substitutions. Tools like Hashcat and John the Ripper can test millions of dictionary entries per second, applying rules like:
- Capitalize first letter:
password→Password - Append numbers:
password→password123 - Common substitutions:
password→p@$$w0rd - Reverse:
password→drowssap
A password based on any real word — even with substitutions — falls to a dictionary attack in seconds to minutes.
Defense
- Never use dictionary words, names, or predictable patterns
- Use a randomly generated password instead of trying to be clever with substitutions
- Test your password with our Strength Checker — it detects common patterns
3. Rainbow Table Attacks
A rainbow table is a pre-computed lookup table that maps hash values back to their plaintext passwords. Instead of computing hashes in real-time, the attacker looks up your hash in the table — cracking it instantly.
For example, the MD5 hash of "password123" is always 482c811da5d5b4bc6d497ffa98491e38. A rainbow table containing this entry returns the plaintext immediately.
Why salting defeats rainbow tables
Salting prepends a random value to each password before hashing. The salt is different for every user, so the same password produces different hashes. This makes pre-computed tables useless — the attacker would need a separate rainbow table for every possible salt value.
All modern password hashing algorithms (bcrypt, scrypt, Argon2) include automatic salting. If a service is still using unsalted MD5 or SHA-1, your password is at serious risk regardless of its strength.
Defense
- You can't control how a service hashes your password, but you can use unique passwords everywhere
- If a breach reveals unsalted hashes, change your password immediately
- Learn more about secure hashing with our Bcrypt Hash Generator
4. Credential Stuffing
This is the most practical attack — and the one most people are vulnerable to. Credential stuffing takes leaked username/password pairs from one breach and automatically tries them on other services.
It works because 65% of people reuse passwords across multiple accounts. If your email/password combination leaked from a small forum, attackers will try it on Gmail, Amazon, Netflix, your bank, and hundreds of other services — often within hours of the breach.
Defense
- Never reuse passwords — this is the single most important security practice
- Use a password manager to maintain unique passwords for every account
- Check if your passwords have been leaked using our Password Leak Checker
- Enable two-factor authentication (2FA) on all important accounts
5. Social Engineering & Phishing
The most effective attacks don't crack passwords at all — they trick you into handing them over. Phishing emails impersonating banks, tech companies, or IT departments direct you to fake login pages that capture your credentials.
Modern phishing is increasingly sophisticated: real-time proxy attacks can capture 2FA codes, AI-generated emails are grammatically perfect, and domain spoofing techniques make fake sites look identical to real ones.
Defense
- Always verify URLs before entering credentials — check for HTTPS and the correct domain
- Use hardware security keys (FIDO2/WebAuthn) for phishing-resistant 2FA
- Never enter passwords from email links — navigate to the site directly
- Use unique passwords so even a successful phish only compromises one account
The Attack Timeline: What Happens After a Breach
| Time | What Happens |
|---|---|
| 0–1 hours | Breach data appears on dark web markets and hacking forums |
| 1–6 hours | Automated credential stuffing bots begin testing pairs on major services |
| 6–24 hours | MD5/unsalted hashes are cracked for common passwords |
| 1–7 days | More complex passwords are cracked; targeted attacks begin on high-value accounts |
| 1–4 weeks | Breach appears in public databases like Have I Been Pwned |
Your Action Plan
- Generate strong, unique passwords for every account using our Strong Password Generator
- Store them in a password manager — Bitwarden, 1Password, or KeePass
- Check for leaks regularly with our Leak Checker
- Enable 2FA everywhere — preferably with an authenticator app or hardware key
- Test your passwords with our Strength Checker and Crack Time Calculator
Security is not about one perfect password — it's about layered defenses. Strong, unique passwords are the foundation. Everything else builds on top.