The top ten password-cracking techniques used by hackers

Think your passwords are secure? Think again

list of poor passwords on notepad

Understanding the password-cracking techniques hackers use to blow your online accounts wide open is a great way to ensure it never happens to you.

You will certainly always need to change your password, and sometimes more urgently than you think, but mitigating against theft is a great way to stay on top of your account security. You can always head to to check if you're at risk, but simply thinking your password is secure enough to not be hacked is a risky position to take.

Advertisement - Article continues below

So, to help you understand just how hackers get your passwords, secure or otherwise, we've put together a list of the top ten most popular password-cracking techniques used across the internet. Some of the below methods are certainly old-fashioned, but that hasn't diminished their popularity.

The top ten password-cracking techniques used by hackers:

1. Dictionary attack

The dictionary attack, as its name suggests, is a method that uses an index of words that feature most commonly as user passwords. This is a slightly less-sophisticated version of the brute force attack but it still relies on hackers bombarding a system with guesses until something sticks.

If you think that by mashing words together, such as "superadministratorguy", will defend you against such an attack, think again. The dictionary attack is able to accommodate for this, and as such will only delay a hack for a matter of seconds.

2. Brute force attack

Similar in function to the dictionary attack, the brute force attack is regarded as being a little more sophisticated. Rather than using a list of words, brute force attacks are able to detect non-dictionary terms, such as alpha-numeric combinations. This means passwords that include strings such as "aaa1" or "zzz10" could be at risk from a brute force attack.

Advertisement - Article continues below
Advertisement - Article continues below

The downside is this method is far slower as a result, especially when longer passwords are used. However, this style of attack is usually supported by additional computing power to cut down hacking time, whether that's through assigning more CPU resources to the task or by creating a distributed processing farm, similar to those used by cryptocurrency miners.

3. Rainbow table attack

Rainbow tables might sound innocuous, but they are in fact incredibly useful tools in a hacker's arsenal.

When passwords are stored on a computer system, they are hashed using encryption - the 1-way nature of this process means that it's impossible to see what the password is without the associated hash.

Simply put, rainbow tables function as a pre-computed database of passwords and their corresponding hash values. This will then be used as an index to cross-reference hashes found on a computer with those already pre-computed in the rainbow table. Compared to a brute force attack, which does a lot of the computation during the operation, rainbow tables boil the attack down to just a search through a table.

Advertisement - Article continues below

However, rainbow tables are huge, unwieldy things. They require a serious amount of storage to run and a table becomes useless if the hash it's trying to find has been "salted" by the addition of random characters to its password ahead of hashing the algorithm.

There is talk of salted rainbow tables existing, but these would be so large as to be difficult to use in practice. They would likely only work with a predefined "random character" set and password strings below 12 characters as the size of the table would be prohibitive to even state-level hackers otherwise.

4. Phishing

There's an easy way to hack: ask the user for his or her password. A phishing email leads the unsuspecting reader to a faked log in page associated with whatever service it is the hacker wants to access, requesting the user to put right some terrible problem with their security. That page then skims their password and the hacker can go use it for their own purpose.

Advertisement - Article continues below
Advertisement - Article continues below

Why bother going to the trouble of cracking the password when the user will happily give it to you anyway?

5. Social engineering

Social engineering takes the whole "ask the user" concept outside of the inbox that phishing tends to stick with and into the real world.

A favourite of the social engineer is to call an office posing as an IT security tech guy and simply ask for the network access password. You'd be amazed at how often this works. Some even have the gall to don a suit and name badge before walking into a business to ask the receptionist the same question face to face.

6. Malware

A keylogger, or screen scraper, can be installed by malware which records everything you type or takes screenshots during a login process, and then forwards a copy of this file to hacker central.

Some malware will look for the existence of a web browser client password file and copy this which, unless properly encrypted, will contain easily accessible saved passwords from the user's browsing history.

Related Resource

Seven strategies to securely enable remote workers

Sustain business operations during a crisis by following these strategies

Download now

7. Offline cracking

It’s now considered industry standard to limit the number of guesses a person has when entering their password, usually to allow a legitimate account owner to correct typos or try a number of regularly used passwords, in case they forget which is associated with that account. While this is an effective way of preventing an unauthorised user from brute-forcing their way into account, it does nothing to guard against offline hacking – which is where the majority of password hacking occurs these days.

Advertisement - Article continues below

The process usually stems from a recent data breach of a company’s systems, which allows hackers to gain access to user hash files. With these in hand, a hacker can take as long as they need to slowly decrypt passwords, allowing them to masquerade as legitimate account holders logging in successfully for the first time.

8. Shoulder surfing

The idea of a criminal disguised as a courier or employee sneaking into an office building to steal secrets is one that you might think is only found in TV and movies. However, this type of credential theft is still a very real threat in 2020.

Advertisement - Article continues below

In the case of attacks against companies, the service personnel "uniform" provides a kind of free pass to wander around unhindered, giving them the opportunity to snoop literally over the shoulders of genuine members of staff to glimpse passwords being entered or spot passwords that less security-conscious workers have written down on post-it notes or in notepads.

Advertisement - Article continues below

Of course, the more robust a security system is, the easier it is to prevent such attacks. Larger organisations are unlikely to fall victim to this type of hacking, but smaller businesses, particularly those without front desk security, could still be susceptible. There’s also the issue of consumer fraud, as shoulder surfing is often associated with credential theft, for example at cashpoints or while in long queues – essentially anywhere a criminal could maintain a close distance to their potential victim.

9. Spidering

Some hacking techniques rely on getting to know their victim intimately, which is particularly true of spidering. Many organisations use corporate passwords that relate to their business in some way, for example using a variation of their brand name as the password for their Wi-Fi network.

Some savvy hackers have realised that by studying a business’ corporate literature, whether that’s a company mission statement or their sales material, they can build a highly effective word list that can be used as part of a brute force attack. To really perfect this technique, some hackers have even deployed automated tools that trawl through huge volumes of keyword lists associated with a target, helping to improve the efficiency of the process.

10. Guess

The password crackers best friend, of course, is the predictability of the user. Unless a truly random password has been created using software dedicated to the task, a user-generated random' password is unlikely to be anything of the sort.

Advertisement - Article continues below

Instead, thanks to our brains' emotional attachment to things we like, the chances are those random passwords are based upon our interests, hobbies, pets, family and so on. In fact, passwords tend to be based on all the things we like to chat about on social networks and even include in our profiles. Password crackers are very likely to look at this information and make a few – often correct – educated guesses when attempting to crack a consumer-level password without resorting to dictionary or brute force attacks.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now


video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Businesses brace for second 'Fujiwhara effect' of 2020 as Patch Tuesday looms

9 Apr 2020

Most Popular


Nokia breaks 5G record with speeds nearing 5Gbps

20 May 2020
cloud computing

Microsoft launches public cloud service for health care

21 May 2020
artificial intelligence (AI)

What is Tiny AI?

20 May 2020