How Are Passwords Cracked?

password1The answer to this question is complicated, but not impossible to understand.  The first thing to know is that most passwords are not cracked by guessing, or trying thousands of possibilities one at a time on a typical login screen.  Most systems will lock the account after a certain small number of failed attempts, like 5 or 6. This makes the kind of password cracking you see in the movies, one hacker versus one system login, pretty unrealistic.

Typically, the type of password breaches we hear about involves stealing a user and password database in bulk.  In this scenario, an attacker gets administrative or “root” access to the web server where the database is stored, and the entire database is exported or exfiltrated.  Once the database in in hand, the attackers have all time time they need to crack the passwords offline, using high powered computer systems and software programs.

A company providing web services, such as Yahoo, for example, does not store your password in plain text.  They create an encrypted password using a process called a one-way hash.  The beauty of the one-way hash is that even if you have the encryption key, it can not be used to decrypt the hashed password.  Which is why it is called a one-way hash.

So hashed passwords cannot truly be cracked.  But if you know what method was used to create the hashed password, you can try all the possibilities, and create hashes from those possibilities, and then compare the hashed passwords you have created with the hashed passwords you have stolen.  Those hashes that match have produced a solution for that particular set of passwords.  The bad news is that the state of the art in password cracking software today will pretty much grind through the 457 trillion possibilities of an eight character password in under an hour.

These solved-for passwords are then turned into a “rainbow table” that is sold to other cyber-criminals on the Dark Web marketplaces.  So an cyber-criminal with a new database of hashed passwords and just compare his hashes with those on a rainbow table, which makes the process even faster.  According to my research, at this time rainbow tables exist for passwords out to ten characters.   If your passwords are longer than ten characters, then you can expect your password to stand up to modern password cracker methodology, and generally will not be included on a rainbow table.

But solving for hashes is still not easy, and does not always provide a complete solution.  This is because clever web service operators are not simply hashing passwords.  To further complicate the process, and make it even harder to crack, most stored passwords are also “salted” and “stretched.”  Adding a salt is simply adding a string of random characters to the beginning or end of a password before it is hashed.  Stretching is the process of hashing a password multiple times to make it more difficult to solve for the password.  Password databases that are salted, hashed, and stretched are very nearly impervious to solution without knowing the salt value, the hash method, and how many times the password was hashed or stretched.

So back to Yahoo.  They have been pilloried recently in the press for failing to reveal a password breach that happened in 2014.  Part of the reason they did not report it is that they use bcrypt to hash user passwords, and this is a very effective system that provides salting, hashing and stretching as described above.  The good news is the likelihood that your stolen Yahoo password was ever successfully cracked is very low, even after two years.   Nevertheless, we would still advise you to change your Yahoo password to something new that is longer than 10 characters.

Hopefully this article gave you a better understanding of that is involved in both cracking passwords, and protecting passwords from being cracked.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at


  1. Kathy Weeks  November 23, 2016

    Wow, very well written article Bob – easy to understand, and very good info. about how intelligent, profitable, and world wide hacking has gotten – scary and sad. But, easy for me to understand why I need to make my passwords longer than 10 characters to protect myself. Thanks Bob!


Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.