How Attackers Crack Passwords and How to Stop Them

The Password Cracking Process

When attackers steal a database of password hashes, the race begins. They use specialized software and powerful hardware to recover the original passwords from the hashes. Understanding this process helps you choose the right defenses for your organization's password storage.

Attack Techniques

Rainbow tables are precomputed hash-to-password mappings that enable instant lookups for common passwords. Salting each password before hashing defeats rainbow tables. Dictionary attacks try millions of known passwords and common variations. Rule-based attacks apply transformations like adding numbers, changing case, and substituting characters. Brute force tries every possible combination. Modern GPUs can test billions of hashes per second against weak algorithms like MD5 or SHA1.

Choosing the Right Hash Algorithm

Use bcrypt, scrypt, or Argon2id for password hashing - never MD5, SHA1, or plain SHA256. These password-specific algorithms are deliberately slow, requiring significant computation per hash attempt. Configure the work factor so that hashing takes at least 100 milliseconds on your server. This makes brute force attacks orders of magnitude slower. Argon2id additionally requires significant memory per hash attempt, making GPU-based attacks impractical.

Defense in Depth for Passwords

Layer multiple defenses: use a strong hashing algorithm, enforce minimum password length of 14 characters, check new passwords against breach databases, implement account lockout for online attacks, enable MFA as a second factor, and monitor for credential stuffing. True Protection monitors for signs of credential theft and brute force attacks, alerting you before accounts are compromised.