The word "hacked" conjures images of skilled programmers attacking systems with sophisticated code. But when it comes to passwords, the reality is far more mundane and far more preventable. Most compromised accounts are not the result of brilliant technical exploits — they result from weak passwords, reused passwords, and poorly secured password databases. Understanding the mechanics of how passwords fail makes it possible to make choices that genuinely matter.

Every year, new breach disclosures reveal the actual passwords people choose. The results are consistently disheartening. According to NordPass's annual analysis of most common passwords, "123456" and "password" regularly top the list, with millions of users each. This is not a failure of intelligence — it is a failure of systems that have, for decades, asked users to manage dozens of unique secrets without providing adequate tools to do so. The problem is structural as much as it is behavioral.

"The average person manages somewhere between 70 and 100 passwords. Expecting them all to be unique, long, and memorable is not a security policy — it is security theater." — Paraphrasing a common argument from security researchers including Troy Hunt

This article examines the technical methods attackers use to crack passwords, explains how proper password storage works (and how it goes wrong), addresses the "length versus complexity" question with actual math behind it, and makes the case for password managers as the most practical available defense for ordinary users.

Key Definitions

Brute force attack: A password cracking method that systematically tries every possible combination of characters until the correct password is found. Computationally intensive but guaranteed to eventually succeed.

Dictionary attack: A cracking method that tests passwords from a precompiled list of words, common passwords, and known breach data, rather than all possible combinations. Much faster than pure brute force for typical human-chosen passwords.

Credential stuffing: The automated testing of username/password pairs from one breach against many other services, exploiting password reuse across accounts.

Hashing: A one-way mathematical transformation that converts a password into a fixed-length string (the hash). Properly implemented, you cannot reverse a hash to obtain the original password — you can only test whether a given input produces the same hash.

Salting: Adding a unique random string to each password before hashing, preventing the use of precomputed rainbow tables and ensuring that identical passwords produce different hashes in the database.

Rainbow table: A precomputed lookup table that maps known password hashes back to their original plaintext passwords. Defeated by salting.

Password entropy: A measure of how unpredictable a password is, measured in bits. Each additional bit doubles the number of possible passwords. A password with 60 bits of entropy requires 2^60 guesses to exhaustively crack.

Cracking Methods Compared

Method How It Works Effective Against Defeated By
Brute force Tests all combinations systematically Short passwords Long passwords (12+ chars)
Dictionary attack Tests wordlists + transformation rules Common words and predictable patterns Truly random passwords
Credential stuffing Tests breach credentials at other services Reused passwords Unique passwords per service
Rainbow table Looks up precomputed hash-to-password mappings Unsalted hashes Salting
Phishing / social engineering Tricks user into revealing password Any password strength MFA, user awareness

How Password Cracking Works

The Starting Point: Breach Databases

Most large-scale password cracking does not start with an individual trying to guess your password — it starts with a stolen database. When a site or service is breached, attackers often obtain a copy of the user database, which contains usernames (or email addresses) and stored password representations. How much damage they can do with that database depends almost entirely on how the passwords were stored.

Poorly secured databases store passwords in plaintext — the actual password characters, readable directly. This is catastrophically bad, and organizations that do it are negligent. Less bad but still dangerous is hashing without salting. Properly secured databases use modern, slow hashing algorithms (bcrypt, scrypt, Argon2) with unique salts per password. The difference between these tiers is the difference between attackers having all your users' passwords instantly versus spending years to crack only some of them.

Troy Hunt's Have I Been Pwned project has catalogued over 12 billion compromised account records from known public breaches. Many of these records include cracked passwords that have been subsequently compiled into breach password lists — making them available for use in future dictionary attacks.

Brute Force Attacks

The simplest conceptual approach to cracking a password is to try every possible combination: "a", then "b", then "c", through "z", then "aa", "ab", and so on through every combination at every length. Given unlimited time, this guarantees finding any password. The practical constraint is time.

A modern GPU-based cracking rig can test billions of MD5 hashes per second (MD5 being a fast but entirely inappropriate algorithm for password storage, still used by legacy systems). At that speed, an 8-character password using only lowercase letters (26 possibilities per character, approximately 208 billion combinations) can be exhausted in under a minute. Including uppercase, digits, and common symbols (about 95 characters) raises that to 6.6 quadrillion combinations — which the same hardware can still exhaust in hours to days.

The key implication: short passwords, regardless of character variety, fall to brute force quickly. Length is the primary defense against brute force.

Dictionary Attacks

Pure brute force is computationally wasteful because most passwords are not random. People choose words, names, dates, and patterns that are meaningful to them. Dictionary attacks exploit this by testing likely candidates first.

Modern dictionary attack tools like Hashcat and John the Ripper use wordlists built from multiple sources: common English and other-language words, names, pop culture references, sports teams, keyboard patterns ("qwerty", "1q2w3e4r"), and most critically, actual passwords exposed in prior breaches. These breach password lists are the most effective dictionary attack source because they reflect what real people actually choose.

Beyond raw wordlists, cracking tools apply transformation rules: capitalize the first letter, add "1" to the end, substitute "@" for "a", substitute "3" for "e", add the current year. This means that "P@ssw0rd!2024" is not safe — it is a predictable transformation of "Password" that every serious cracking tool handles automatically.

Credential Stuffing

Credential stuffing is mechanically straightforward but requires scale. Attackers obtain a list of email/password combinations from a known breach, then use automated tools to test those combinations against other services. If you used the same password on a breached forum as you use on your email account, your email is now at risk even though your email provider was never breached.

The effectiveness of credential stuffing is a direct function of password reuse rates. Studies of breach data have found that between 44 and 65 percent of users reuse passwords across multiple accounts. For attackers with billions of credentials to test, those rates translate to millions of successful logins.

Akamai's 2022 State of the Internet report found that credential stuffing accounted for a substantial portion of login attempts across the industries they monitored, with financial services and media/gaming particularly targeted. The automation is so efficient that a credential stuffing campaign against a major service may test millions of credentials within hours of a competing service's breach becoming public.

Rainbow Tables

A rainbow table is a precomputed database that maps password hashes back to their source passwords. Because hashing is deterministic — the same input always produces the same hash — if you have computed the hash for "password123" once, you can store it and look it up instantly rather than recomputing it later.

For unsalted password databases using common hashing algorithms, rainbow tables can crack billions of hashes near-instantly. For common passwords and common algorithms, entire databases can be reversed in minutes using publicly available rainbow tables.

Salting defeats rainbow tables completely. When a unique random string is added to each password before hashing, the hash of "password123" is different for every user. There is no precomputed table that maps salted hashes back to passwords. The attacker must compute hashes individually for each password in the database — which, for properly slow hashing algorithms, makes large-scale cracking computationally infeasible within practical timeframes.

How Password Storage Should Work

The Role of Hashing Algorithms

Not all hash functions are created equal for password storage. MD5 and SHA-1 were designed for fast data integrity checking — their speed is a feature for that use case and a catastrophic flaw for passwords. A single modern GPU can compute billions of MD5 hashes per second, making brute force and dictionary attacks trivially fast.

Password-specific hashing algorithms are designed to be deliberately slow and computationally expensive. bcrypt, introduced in 1999, uses a cost factor that can be increased as hardware improves — making it always take a meaningful amount of time per hash regardless of available hardware. scrypt and Argon2 add memory-hardness: they require large amounts of RAM in addition to CPU time, specifically to resist GPU-based and ASIC-based cracking.

The current recommended standard, per NIST SP 800-63B, is to use bcrypt, scrypt, or Argon2 with appropriate cost parameters. LinkedIn's 2012 breach exposed 6.5 million SHA-1 hashed passwords without salting; within days, most of them had been cracked. The breach was expanded to 117 million accounts in 2016 when additional data surfaced, and those accounts were cracked almost entirely within weeks due to the weak hashing.

Why Length Beats Complexity

The intuition that adding special characters makes passwords stronger is not wrong — it increases the search space for brute force. But the intuition underestimates how much more powerfully length scales.

Consider: a password drawn from 95 possible characters (uppercase, lowercase, digits, common symbols) at 8 characters produces roughly 6.6 quadrillion possible combinations. A password drawn from only 26 lowercase characters at 20 characters produces about 19 trillion trillion combinations — roughly 3 billion times larger a search space. Length wins decisively.

This is why NIST's revised guidelines in SP 800-63B (2017) explicitly removed requirements for special characters and regular password expiration (which research had shown led to predictable incremental changes like "Password1" to "Password2"). Instead, NIST recommends allowing long passwords — up to at least 64 characters — and checking new passwords against breach databases rather than requiring complexity patterns.

The most practical implementation of long passwords for most people is passphrases: a sequence of random words ("correct horse battery staple" in Randall Munroe's famous XKCD illustration). A four-word passphrase chosen from a common 2000-word vocabulary provides approximately 44 bits of entropy; adding a fifth word brings it to 55 bits. These are far harder to brute force than "P@ssw0rd1" while being far easier to remember.

The Case for Password Managers

The Fundamental Tension

The security guidance is clear: use unique, long, random passwords for every account. The practical reality is also clear: the average person manages 70 to 100 accounts, and no human being can memorize 70 unique 20-character random strings. This gap between what security requires and what human memory can reasonably deliver is the root cause of password reuse.

Password managers resolve this tension. They generate, store, and fill strong unique passwords for every account, requiring users to remember only a single master password. The security model relies on the master password being strong (which is achievable for one memorable password) and the password manager's encryption being sound.

How Password Manager Security Works

Reputable password managers encrypt the user's vault on the device before transmitting anything to their servers, using the master password as the encryption key. The server receives and stores only encrypted data — the password manager company cannot see your passwords even if they wanted to, and a breach of their servers exposes only encrypted data.

In 2022, LastPass suffered a significant breach in which attackers obtained encrypted password vault data. The incident was serious and LastPass's handling of the disclosure was criticized, but the encrypted vaults remain protected as long as users have strong master passwords. Competing services like Bitwarden (open source and audited), 1Password, and Dashlane have strong security records.

The key practical recommendation from security researchers including Brian Krebs is consistent: a password manager with a strong master password and MFA enabled on the password manager account is substantially safer than any password reuse strategy, regardless of how clever the reuse pattern.

Bitwarden and Open Source Verification

Bitwarden occupies a distinctive position in the password manager landscape: it is fully open source, meaning its code can be independently inspected. It has undergone independent security audits (most recently by Cure53 in 2022) and supports self-hosting for users who want complete control. For organizations and security-conscious individuals who want verified security properties rather than marketing claims, open source options offer a meaningful advantage.

Practical Takeaways

The most impactful changes most users can make: use a password manager to generate and store unique passwords for every account; enable multi-factor authentication on every account that offers it, prioritizing email, banking, and accounts used for other logins; and use a strong, memorable passphrase as the master password for the password manager itself.

For organizations storing passwords: there is no acceptable reason to use MD5 or SHA-1 for passwords in 2025. Use bcrypt, scrypt, or Argon2 with appropriate cost factors, always with unique per-user salts. Check whether the organization's password policy aligns with current NIST guidance — particularly eliminating forced expiration without cause and removing arbitrary complexity requirements that push users toward predictable patterns.

References

  1. Hunt, T. (2023). Have I Been Pwned: Pwned Passwords. haveibeenpwned.com.
  2. NIST. (2017). Special Publication 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management. National Institute of Standards and Technology.
  3. Goodin, D. (2016). "How the explosive 2012 LinkedIn breach directly led to Hillary Clinton email hack." Ars Technica, May 18.
  4. NordPass. (2024). Top 200 Most Common Passwords 2024. NordPass research.
  5. Akamai Technologies. (2022). State of the Internet: Phishing for Finance. Akamai.
  6. Provos, N., & Mazieres, D. (1999). "A future-adaptable password scheme." USENIX Annual Technical Conference Proceedings.
  7. Munroe, R. (2011). "Password Strength." xkcd, comic #936. xkcd.com/936/.
  8. Krebs, B. (2022). "LastPass: Hackers stole customer vault data after recent breach." KrebsOnSecurity, December 23.
  9. Cure53. (2022). Bitwarden Security Audit Report. Cure53 GmbH.
  10. Florencio, D., & Herley, C. (2007). "A large-scale study of web password habits." Proceedings of the 16th International World Wide Web Conference.
  11. Ur, B., et al. (2015). "Measuring real-world accuracies and biases in modeling password guessability." USENIX Security Symposium.
  12. Grassi, P. A., et al. (2017). Digital Identity Guidelines. NIST SP 800-63.

Tags

passwords cybersecurity hashing credential security password managers

Frequently Asked Questions

What is credential stuffing and why is it so effective?

Credential stuffing is the automated testing of username/password pairs stolen from one breach against hundreds of other services. It is effective because 44-65% of users reuse passwords across accounts — meaning a breach at a small forum can lead directly to account takeovers at their bank or email provider. Attackers use billions of credentials from known breaches and test them in automated campaigns at massive scale.

What are rainbow tables and how does salting defeat them?

A rainbow table is a precomputed lookup table mapping known password hashes to their original plaintext. Salting defeats rainbow tables by adding a unique random string to each password before hashing — meaning two users with identical passwords have different hashes, making any precomputed table useless. The attacker must then compute hashes individually, which becomes computationally prohibitive with modern slow hash algorithms.

Why does password length matter more than complexity?

Length increases the search space exponentially while complexity increases it only linearly. A 20-character lowercase-only password has roughly 3 billion times more combinations than an 8-character all-character password. NIST's 2017 guidelines explicitly shifted emphasis to length over complexity requirements, and recommend passphrases and breach-database checking over mandatory special characters.

Are password managers safe to use?

Password managers are dramatically safer than password reuse. They encrypt your vault with a master password that the vendor cannot see — a breach of their servers exposes only encrypted data. The risk of using a well-audited password manager (Bitwarden, 1Password) is almost always lower than the risk of reusing passwords or choosing weak passwords without one.

What is a dictionary attack in password cracking?

A dictionary attack tests passwords from wordlists of common words, phrases, and known breach data, then applies transformation rules (capitalize, add numbers, substitute symbols) automatically. 'P@ssw0rd' is as predictable to modern cracking tools as 'Password' — the substitution rules are all built in. Truly random passwords are the effective defense.

Share this article