PassCheck Pro

Your Password Security Analyst

How Password Hackers Really Work (Attack Methods Explained)

Technical deep-dive into password cracking methods: brute force, dictionary attacks, rainbow tables, credential stuffing, and hybrid attacks. Learn how to defend against each.

How Password Hackers Really Work (Attack Methods Explained)

Understanding how attackers crack passwords is essential for defending against them. This technical guide explains real attack methods, the tools hackers use, and specific defenses against each.

The Two Attack Scenarios

Before diving into methods, understand where attacks happen:

Online Attacks (Active Account)

Target: Live login forms (Gmail, Facebook, banking sites)

Constraints:

  • Rate limiting (3-5 attempts before lockout)
  • Account lockouts after failures
  • CAPTCHA challenges
  • Network latency (~100ms per attempt)

Speed: 100-1,000 attempts per second (distributed across IPs)

Defense: Strong passwords + 2FA

Offline Attacks (Stolen Database)

Target: Hashed passwords from breached databases

Advantages (for attacker):

  • No rate limiting
  • No lockouts
  • Local processing (no network latency)
  • Can use GPUs or custom hardware

Speed:

  • Slow hash (bcrypt, Argon2): 10,000-100,000 hashes/sec
  • Fast hash (MD5, SHA1): 10-100 billion hashes/sec

Defense: Long, random passwords + strong hashing by service provider

Attack Method 1: Brute Force

How It Works

Definition: Trying every possible character combination systematically

Process:

a, b, c, ..., z, aa, ab, ac, ..., zz, aaa, aab, ...

Example sequence (lowercase only):

  1. a
  2. b
  3. c ...
  4. aa
  5. ab ...
  6. zz
  7. aaa ...

Mathematical Reality

6-character password (lowercase only):

  • Possibilities: 26^6 = 308,915,776
  • Time at 100B/sec: 0.003 seconds

8-character password (lowercase only):

  • Possibilities: 26^8 = 208,827,064,576
  • Time at 100B/sec: 2.1 seconds

8-character password (all types):

  • Possibilities: 95^8 = 6,634,204,312,890,625
  • Time at 100B/sec: 768 days

12-character password (all types):

  • Possibilities: 95^12 ≈ 5.4 × 10^23
  • Time at 100B/sec: 171,000 years

Tools Used

Hashcat: GPU-based password cracking

  • Can test 100+ billion MD5 hashes/second
  • Supports 300+ hash algorithms
  • Distributed across multiple GPUs

John the Ripper: CPU-based password cracking

  • Flexible rule engine
  • Incremental mode for brute force
  • Custom character sets

Defense

Use 12+ character passwordsInclude all character types (upper, lower, numbers, symbols) ✅ Make it truly random (not patterns)

Attack Method 2: Dictionary Attacks

How It Works

Definition: Trying passwords from a pre-compiled list of common/likely passwords

Sources:

  • Previous breach databases
  • Common password lists
  • Word dictionaries (English, other languages)
  • Names, places, pop culture references

Example wordlist (RockYou.txt from 2009 breach):

  • 32 million real passwords
  • Sorted by frequency
  • Used in nearly every attack

Attack Process

  1. Load wordlist (e.g., 100 million entries)
  2. Try each entry against target hash
  3. Move to variations if base fails

Speed advantage: Only testing likely passwords, not all combinations

Success rate:

  • Top 1,000 passwords: ~1% of accounts
  • Top 10,000 passwords: ~5% of accounts
  • Top 1 million passwords: ~20-30% of accounts

Advanced Dictionary Attacks

Wordlist + Rules:

  • Base: "password"
  • Rules generate: "Password", "password1", "Password1!", "p@ssword", "PASSWORD"

Common rule sets:

Capitalize first letter
Add numbers 1-99 at end
Add common symbols (!, @, #) at end
Common substitutions (a→@, o→0, e→3)
Append current year

Result: 1 dictionary word generates 100+ variations

Tools Used

Hashcat with wordlists:

hashcat -m 0 -a 0 hashes.txt rockyou.txt

CeWL (Custom Word List generator):

  • Crawls target's website
  • Extracts words/terms
  • Creates targeted wordlist

Defense

Avoid dictionary words entirelyDon't use common substitutions (P@ssw0rd is still weak) ✅ Check against breach databases (use our tool)

Attack Method 3: Rainbow Tables

How It Works

Definition: Pre-computed hash tables for instant password lookup

Concept:

  1. Pre-compute hashes for millions of passwords
  2. Store hash → password mappings
  3. Look up stolen hash in table
  4. Instantly recover password

Example:

Hash: 5f4dcc3b5aa765d61d8327deb882cf99
Lookup: password

Space-Time Tradeoff

Without rainbow tables:

  • Must compute each hash during attack
  • Takes time but no storage

With rainbow tables:

  • Pre-computed (one-time cost)
  • Instant lookups
  • Requires massive storage (TBs)

Chain technique reduces storage:

  • Hash → reduce → hash → reduce → ...
  • Store only endpoints
  • Recreate chain when match found

Why They Work

Unsalted hashes: Same password = same hash

  • "password" always = 5f4dcc3b5aa765d61d8327deb882cf99 (MD5)
  • Rainbow table works for all databases

Fast hashes (MD5, SHA1): Quick to pre-compute

Why They Don't Always Work

Salted hashes: Unique salt per password

  • "password" + salt "x7f9" = different hash
  • "password" + salt "k2m5" = different hash
  • Rainbow table useless (must recompute for each salt)

Slow hashes (bcrypt, Argon2): Too expensive to pre-compute

Defense

Not in your control (service must use salted hashes) ✅ Choose services that hash properlyUse long passwords (rainbow tables only cover shorter passwords)

Attack Method 4: Credential Stuffing

How It Works

Definition: Using breached username/password pairs from one site to access other sites

Process:

  1. Obtain breach database (e.g., LinkedIn 2012: 164M credentials)
  2. Use automated bots to try credentials on other sites
  3. Test Gmail, Facebook, banking, etc.
  4. Successfully access accounts where users reused passwords

Success rate: 0.1% - 2% (but testing millions = thousands of successes)

Real-World Examples

Disney+ Launch (2019):

  • Thousands of accounts compromised on day 1
  • Attackers used old Netflix/Hulu breach credentials
  • Users had reused passwords

Spotify (Ongoing):

  • Constant credential stuffing attacks
  • "Spotify combo lists" traded online
  • Compromised accounts sold or used for fraud

Tools Used

Sentry MBA: Automated credential testing

  • Tests lists of username:password pairs
  • Handles CAPTCHAs
  • Rotates IPs to avoid rate limiting

OpenBullet: Modern credential testing framework

  • Custom configs for any site
  • Proxy support
  • Result filtering

Defense

Never reuse passwords across sitesUse password manager to generate unique passwords ✅ Enable 2FA (blocks access even with correct password) ✅ Check breach status regularly

Attack Method 5: Hybrid Attacks

How It Works

Definition: Combines dictionary words with brute force variations

Examples:

  • Base word: "summer"
  • Generate: "summer1", "summer2", ..., "summer999"
  • Generate: "Summer!", "Summer@", "Summer#"
  • Generate: "summer2025", "summer2024", "summer2023"

Why it works: Users create "complex" passwords by:

  1. Starting with dictionary word
  2. Adding numbers/symbols to meet requirements
  3. Capitalizing first letter

Result: Predictable patterns that seem "random"

Attack Pattern Examples

Pattern 1: Word + Year

summer2025, winter2025, password2025

Pattern 2: Word + Number + Symbol

password1!, football7!, dragon99!

Pattern 3: Capitalized + Substitution + Number

P@ssw0rd1, Summer123, F00tball!

Advanced Hybrid Techniques

Markov chains: Learn patterns from breach data

  • If 'p' often followed by 'a', 's', or '@'
  • Generate passwords with realistic patterns
  • More efficient than pure brute force

Mask attacks: Define pattern

?u?l?l?l?l?l?d?d?s
= Uppercase + 5 lowercase + 2 digits + symbol
Generates: Password12!

Tools Used

Hashcat mask attack:

hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?l?l?l?d?d?s

Mentalist: GUI for creating wordlist variations

  • Combines base words with rules
  • Generates targeted wordlists

Defense

Avoid base dictionary words entirelyDon't use predictable number additions (year, simple counting) ✅ Use truly random passwords or long passphrases

Attack Method 6: Social Engineering

How It Works

Definition: Gathering personal information to guess passwords

Common password patterns:

  • Name + birthdate: "Jennifer1990"
  • Pet name + number: "Fluffy123"
  • Favorite team + year: "Lakers2024"
  • City + street number: "Portland123"

Information sources:

  • Facebook (birthday, interests, family)
  • LinkedIn (company, education, job history)
  • Instagram (pets, hobbies, locations)
  • Twitter (opinions, favorites)

Targeted Attack Example

Scenario: Attacking "John Smith"

Step 1: Reconnaissance (from social media)

  • Birthday: August 15, 1990
  • Dog named Max
  • Loves Lakers
  • Lives in Portland

Step 2: Generate wordlist

John1990, JSmith1990, johnsmith1990
Max123, MaxSmith, IloveMax
Lakers1, Lakers2024, GoLakers
Portland123, Portland1990

Step 3: Add common patterns

John1990!, JSmith15, johnsmith8151990
Max123!, Max@1990, IloveMax1990
Lakers1!, Lakers2024!, GoLakers!

Success rate: Much higher than random attacks

Defense

Never use personal information in passwordsDon't post birthdates/pet names if you use them in passwordsUse random passwords unrelated to your life

GPU vs CPU: Speed Comparison

Hash Type: MD5 (Fast, Unsalted)

CPU (Intel i7):

  • ~50 million hashes/sec

Single GPU (RTX 4090):

  • ~100 billion hashes/sec
  • 2,000× faster than CPU

8× GPU Rig:

  • ~800 billion hashes/sec
  • 16,000× faster than CPU

Hash Type: bcrypt (Slow, Salted)

CPU (Intel i7):

  • ~1,000 hashes/sec

Single GPU (RTX 4090):

  • ~100,000 hashes/sec
  • 100× faster than CPU

Note: Even with GPU, bcrypt is much slower than MD5

8-character random password:

  • MD5: Cracked in hours
  • bcrypt: Cracked in years

Cloud-Based Cracking

AWS/Google Cloud Instances

Cost: $3-5 per GPU hour (spot instances) Power: 8× V100 GPUs per instance Speed: ~200 billion hashes/sec (MD5)

Economics:

  • Weak password (8 chars): $10-50 to crack
  • Medium password (10 chars): $1,000-5,000 to crack
  • Strong password (12+ chars): Not economically viable

Defense Summary by Attack Type

Attack TypePrimary DefenseSecondary Defense
Brute Force12+ charactersAll character types
DictionaryAvoid dictionary wordsCheck breach status
Rainbow TablesService must saltLong passwords
Credential StuffingUnique passwordsEnable 2FA
HybridAvoid patternsTrue randomness
Social EngineeringNo personal infoRandom generation

Test Your Password Against All Attack Types

Want to see how your password would fare against these attacks?

Use our password strength checker →

Our tool simulates:

  • Brute force crack time (multiple scenarios)
  • Dictionary detection (pattern analysis)
  • Breach database check (15+ billion credentials)
  • Pattern recognition (sequences, repetitions, substitutions)

Privacy guaranteed: All analysis happens locally in your browser.

Conclusion

Modern password cracking uses:

  • Massive computational power (GPU farms, cloud instances)
  • Sophisticated techniques (hybrid attacks, Markov chains)
  • Vast breach databases (15+ billion credentials available)
  • Social engineering (personal information gathering)

Your defense:

  1. 12+ character passwords (16+ for critical accounts)
  2. True randomness (password manager generated)
  3. Unique per site (never reuse)
  4. 2FA enabled (second layer of defense)
  5. Regular breach checking (use our tool)

Understanding attacker methods helps you defend effectively. Don't give them easy targets.

Check your password security now →

Related Reading:

Ready to Test Your Password Security?

Use our free password strength checker to analyze your passwords with advanced security metrics, breach checking, and personalized recommendations.

Check Password Strength Bulk Password Audit Policy Validator