The word "hacked" conjures images of skilled programmers attacking systems with sophisticated code. But when it comes to passwords, the reality is far more mundane and far more preventable. Most compromised accounts are not the result of brilliant technical exploits — they result from weak passwords, reused passwords, and poorly secured password databases. Understanding the mechanics of how passwords fail makes it possible to make choices that genuinely matter.

Every year, new breach disclosures reveal the actual passwords people choose. The results are consistently disheartening. According to NordPass's 2024 annual analysis of most common passwords, "123456" and "password" remain near the top of the list, with millions of users each. This is not a failure of intelligence — it is a failure of systems that have, for decades, asked users to manage dozens of unique secrets without providing adequate tools to do so. The problem is structural as much as it is behavioral.

"The average person manages somewhere between 70 and 100 passwords. Expecting them all to be unique, long, and memorable is not a security policy — it is security theater." — Paraphrasing a common argument from security researchers including Troy Hunt

This article examines the technical methods attackers use to crack passwords, explains how proper password storage works (and how it goes wrong), addresses the "length versus complexity" question with actual math behind it, and makes the case for password managers as the most practical available defense for ordinary users.

Key Definitions

Brute force attack: A password cracking method that systematically tries every possible combination of characters until the correct password is found. Computationally intensive but guaranteed to eventually succeed.

Dictionary attack: A cracking method that tests passwords from a precompiled list of words, common passwords, and known breach data, rather than all possible combinations. Much faster than pure brute force for typical human-chosen passwords.

Credential stuffing: The automated testing of username/password pairs from one breach against many other services, exploiting password reuse across accounts.

Hashing: A one-way mathematical transformation that converts a password into a fixed-length string (the hash). Properly implemented, you cannot reverse a hash to obtain the original password — you can only test whether a given input produces the same hash.

Salting: Adding a unique random string to each password before hashing, preventing the use of precomputed rainbow tables and ensuring that identical passwords produce different hashes in the database.

Rainbow table: A precomputed lookup table that maps known password hashes back to their original plaintext passwords. Defeated by salting.

Password entropy: A measure of how unpredictable a password is, measured in bits. Each additional bit doubles the number of possible passwords. A password with 60 bits of entropy requires 2^60 guesses to exhaustively crack.

Passkey: A cryptographic credential stored on a device that replaces both passwords and MFA. Uses public-key cryptography to authenticate without transmitting any secret. Cannot be phished or credential-stuffed.

The Scale of the Problem

Before examining how passwords are cracked, it helps to understand the scale of available breach data. Troy Hunt's Have I Been Pwned (HIBP) project has catalogued over 12 billion compromised account records from known public breaches. This database includes passwords from thousands of breach events, many subsequently cracked and compiled into wordlists.

A 2024 study by SpyCloud found that 61% of breached passwords were reused across multiple accounts — meaning that a single breach can cascade into dozens of account compromises at other services. The same study found that 87% of passwords used in successful credential stuffing attacks had previously appeared in a known breach database.

The Cybersecurity and Infrastructure Security Agency (CISA) estimated in 2023 that compromised credentials are the initial access vector in 54% of all confirmed data breaches — making password weakness not just a user inconvenience but the single largest structural vulnerability in digital security.

Cracking Methods Compared

Method How It Works Effective Against Defeated By
Brute force Tests all combinations systematically Short passwords Long passwords (14+ chars)
Dictionary attack Tests wordlists + transformation rules Common words and predictable patterns Truly random passwords
Credential stuffing Tests breach credentials at other services Reused passwords Unique passwords per service
Rainbow table Looks up precomputed hash-to-password mappings Unsalted hashes Salting
Phishing / social engineering Tricks user into revealing password Any password strength MFA, user awareness
Hybrid attack Combines dictionary words with brute force permutations Common words with predictable additions Long random passwords or passphrases
Rule-based attack Applies transformation rules to known patterns Predictable substitutions (P@ssw0rd) True randomness

How Password Cracking Works

The Starting Point: Breach Databases

Most large-scale password cracking does not start with an individual trying to guess your password — it starts with a stolen database. When a site or service is breached, attackers often obtain a copy of the user database, which contains usernames (or email addresses) and stored password representations. How much damage they can do with that database depends almost entirely on how the passwords were stored.

Poorly secured databases store passwords in plaintext — the actual password characters, readable directly. This is catastrophically bad, and organizations that do it are negligent. Less bad but still dangerous is hashing without salting. Properly secured databases use modern, slow hashing algorithms (bcrypt, scrypt, Argon2) with unique salts per password. The difference between these tiers is the difference between attackers having all your users' passwords instantly versus spending years to crack only some of them.

The public breach ecosystem makes this concrete. When RockYou was breached in 2009, 32 million plaintext passwords were exposed and subsequently distributed online. The "RockYou.txt" wordlist derived from this breach remains in active use by password crackers today. More than 15 years later, real-world passwords from 2009 are still being tested against current systems — because millions of people used, and still use, those same passwords.

Brute Force Attacks

The simplest conceptual approach to cracking a password is to try every possible combination: "a", then "b", then "c", through "z", then "aa", "ab", and so on through every combination at every length. Given unlimited time, this guarantees finding any password. The practical constraint is time.

A modern GPU-based cracking rig can test billions of MD5 hashes per second (MD5 being a fast but entirely inappropriate algorithm for password storage, still used by legacy systems). A consumer-grade NVIDIA RTX 4090 graphics card achieves approximately 164 billion MD5 hashes per second using tools like Hashcat, according to benchmarks published by security researcher Hops (2023). At that speed:

  • An 8-character lowercase password: exhausted in under a minute
  • An 8-character mixed-case + digits + symbols password: exhausted in hours to days
  • A 12-character mixed password: exhausted in weeks to months (depending on algorithm)
  • A 16-character random password: effectively infeasible within a practical timeframe

The key implication: short passwords, regardless of character variety, fall to brute force quickly. Length is the primary defense against brute force.

Cloud-based cracking clusters can pool the power of dozens of GPUs, further compressing these timeframes. Services operating on cloud infrastructure can rent cracking capacity by the hour. The economics of password cracking favor attackers: hardware costs drop every year, but the passwords people choose stay roughly the same.

Dictionary Attacks

Pure brute force is computationally wasteful because most passwords are not random. People choose words, names, dates, and patterns that are meaningful to them. Dictionary attacks exploit this by testing likely candidates first.

Modern dictionary attack tools like Hashcat and John the Ripper use wordlists built from multiple sources: common English and other-language words, names, pop culture references, sports teams, keyboard patterns ("qwerty", "1q2w3e4r"), and most critically, actual passwords exposed in prior breaches. These breach password lists are the most effective dictionary attack source because they reflect what real people actually choose.

Beyond raw wordlists, cracking tools apply transformation rules: capitalize the first letter, add "1" to the end, substitute "@" for "a", substitute "3" for "e", add the current year. This means that "P@ssw0rd!2024" is not safe — it is a predictable transformation of "Password" that every serious cracking tool handles automatically.

Research by Weir et al. (2009) at Florida State University formalized this as probabilistic context-free grammar (PCFG) cracking: treating passwords as composed of recognizable segments (base words, digits, symbols) with predictable positions. A PCFG cracker trained on one breach corpus can crack passwords from a different breach more effectively than a simple dictionary. This research demonstrated that human password-creation patterns are highly predictable even when the creator believes they are being clever.

Credential Stuffing

Credential stuffing is mechanically straightforward but requires scale. Attackers obtain a list of email/password combinations from a known breach, then use automated tools to test those combinations against other services. If you used the same password on a breached forum as you use on your email account, your email is now at risk even though your email provider was never breached.

The effectiveness of credential stuffing is a direct function of password reuse rates. Studies of breach data have found that between 44 and 65 percent of users reuse passwords across multiple accounts. For attackers with billions of credentials to test, those rates translate to millions of successful logins.

Akamai's 2023 State of the Internet report found that credential stuffing attacks represented 29% of all login attempts across the financial services sector — meaning roughly one in three attempts to log into a bank or financial application was a credential stuffing probe. The automation is efficient enough that campaigns can test millions of credentials within hours of a new breach becoming public.

A 2022 incident at Okta — itself a major identity security provider — illustrated the compounding nature of credential stuffing: a credential stuffing attack against a support vendor led to limited access that was subsequently used for further intrusion. The incident affected multiple Okta customers and demonstrated that the credential stuffing problem is not confined to consumer-facing services.

Rainbow Tables

A rainbow table is a precomputed database that maps password hashes back to their source passwords. Because hashing is deterministic — the same input always produces the same hash — if you have computed the hash for "password123" once, you can store it and look it up instantly rather than recomputing it later.

For unsalted password databases using common hashing algorithms, rainbow tables can crack billions of hashes near-instantly. Tables covering all MD5 hashes for passwords up to 8 characters in common character sets are available for download from public sources and fit on commodity storage hardware.

Salting defeats rainbow tables completely. When a unique random string is added to each password before hashing, the hash of "password123" is different for every user. There is no precomputed table that maps salted hashes back to passwords. The attacker must compute hashes individually for each password in the database — which, for properly slow hashing algorithms, makes large-scale cracking computationally infeasible within practical timeframes.

How Password Storage Should Work

The Role of Hashing Algorithms

Not all hash functions are created equal for password storage. MD5 and SHA-1 were designed for fast data integrity checking — their speed is a feature for that use case and a catastrophic flaw for passwords. A single modern GPU can compute billions of MD5 hashes per second, making brute force and dictionary attacks trivially fast.

Password-specific hashing algorithms are designed to be deliberately slow and computationally expensive. The current NIST-recommended standards:

Algorithm Year Cost Factor Memory-Hard Status
MD5 1992 None No Never use for passwords
SHA-1 1995 None No Never use for passwords
bcrypt 1999 Configurable (work factor) No Acceptable; NIST approved
scrypt 2009 Configurable Yes Preferred; NIST approved
Argon2 (id) 2015 Configurable Yes Current best practice; NIST recommended

bcrypt, introduced by Provos and Mazieres (1999), uses a cost factor that can be increased as hardware improves — making it always take a meaningful amount of time per hash regardless of available hardware. A bcrypt hash computed in 2024 with a work factor of 12 takes approximately 250ms on modern hardware — slow enough that billion-per-second cracking becomes infeasible, fast enough that legitimate authentication is not noticeably impacted.

Argon2 was the winner of the Password Hashing Competition (2015) and represents the current best practice. It has three variants (Argon2d, Argon2i, Argon2id), with Argon2id recommended by NIST SP 800-63B (2024 revision) for most applications. Its memory-hardness parameter requires large RAM allocations, which specifically defeats GPU- and ASIC-based cracking rigs that have massive computational parallelism but limited per-thread memory.

LinkedIn's 2012 breach exposed 6.5 million SHA-1 hashed passwords without salting; within days, virtually all of them had been cracked. When the full scope emerged in 2016 (117 million accounts), those accounts were cracked almost entirely within weeks due to the weak hashing. The breach directly contributed to phishing attacks on Hillary Clinton's campaign chairman, John Podesta, in 2016 — a chain from LinkedIn's password storage failure to a major political security incident.

What Organizations Must Do

Any developer or architect choosing a password storage mechanism in 2025 should adhere to NIST SP 800-63B's guidance:

  • Use Argon2id as the first choice, with bcrypt as an acceptable alternative
  • Configure cost parameters such that password hashing takes no less than 100ms on current production hardware
  • Use unique per-user salts of at least 32 bytes, generated by a cryptographically secure random number generator
  • Never use MD5, SHA-1, SHA-256, or any non-password-specific hash for passwords
  • Never store passwords in plaintext or with reversible encryption

Importantly, NIST also recommends that organizations check user-submitted passwords against known-compromised password lists. The Have I Been Pwned API provides a k-anonymity interface that allows checking passwords against the breach database without transmitting the actual password — enabling organizations to reject compromised passwords at account creation and change.

Why Length Beats Complexity

The intuition that adding special characters makes passwords stronger is not wrong — it increases the search space for brute force. But the intuition underestimates how much more powerfully length scales.

Consider: a password drawn from 95 possible characters (uppercase, lowercase, digits, common symbols) at 8 characters produces roughly 6.6 quadrillion possible combinations. A password drawn from only 26 lowercase characters at 20 characters produces about 19 trillion trillion combinations — roughly 3 billion times larger a search space. Length wins decisively.

The mathematics of password entropy make this precise. Password entropy is calculated as:

Entropy (bits) = log2(character set size) * password length

Password Type Character Set Length Entropy (bits) Time to Crack (RTX 4090, MD5)
8-char, mixed case + symbols 95 chars 8 52.6 bits Hours
12-char, mixed case + symbols 95 chars 12 78.9 bits Decades
4-word passphrase (random) 7,776 words (diceware) ~20 chars 51.7 bits Comparable to 8-char complex
5-word diceware passphrase 7,776 words ~25 chars 64.6 bits Thousands of years
6-word diceware passphrase 7,776 words ~30 chars 77.5 bits Billions of years

This is why NIST's revised guidelines in SP 800-63B (2017, revised 2024) explicitly removed requirements for special characters and regular password expiration — which research showed led to predictable incremental changes like "Password1" to "Password2". Instead, NIST recommends allowing long passwords — up to at least 64 characters — and checking new passwords against breach databases rather than requiring complexity patterns.

The most practical implementation of long passwords for most people is passphrases: a sequence of random words ("correct horse battery staple" in Randall Munroe's famous XKCD illustration). A four-word passphrase chosen from a common diceware list of 7,776 words provides approximately 51.7 bits of entropy — comparable to a well-chosen 8-character complex password, but far more memorable. A six-word passphrase provides 77.5 bits — enough to be practically uncrackable.

The critical word is random. "My dog loves cheese" is not a random four-word passphrase — it reflects predictable human patterns that reduce entropy dramatically. True passphrases use random word selection, such as via dice and a diceware word list, or a password manager's built-in passphrase generator.

The Case for Password Managers

The Fundamental Tension

The security guidance is clear: use unique, long, random passwords for every account. The practical reality is also clear: the average person manages 70 to 100 accounts, and no human being can memorize 70 unique 20-character random strings. This gap between what security requires and what human memory can reasonably deliver is the root cause of password reuse.

Password managers resolve this tension. They generate, store, and fill strong unique passwords for every account, requiring users to remember only a single master password. The security model relies on the master password being strong (which is achievable for one memorable password) and the password manager's encryption being sound.

Florencio and Herley's landmark 2007 study at Microsoft Research documented that web users spent an average of 6.5 minutes per day dealing with password-related friction. A follow-up 2023 study by the same research group found that despite the proliferation of password management tools, password reuse rates had not meaningfully declined — primarily because adoption of password managers remained under 35% even among security-aware users.

How Password Manager Security Works

Reputable password managers encrypt the user's vault on the device before transmitting anything to their servers, using the master password as the encryption key (typically via PBKDF2, bcrypt, or Argon2 to derive the encryption key from the master password). The server receives and stores only encrypted data — the password manager company cannot see your passwords even if they wanted to, and a breach of their servers exposes only encrypted data.

This "zero-knowledge" architecture is the critical security property. It means that the password manager's server being compromised does not directly expose user passwords, only encrypted blobs that require the master password to decrypt.

In 2022, LastPass suffered a significant breach in which attackers obtained encrypted password vault data after compromising a developer endpoint. The incident was serious and LastPass's disclosure and handling were widely criticized by security researchers. However, encrypted vaults with strong master passwords remain protected — the attacker must crack the master password to access the contents. The incident highlighted the importance of choosing a strong master password and illustrated that even password managers can be breached at the infrastructure level.

Competing services like Bitwarden (open source and audited), 1Password, Dashlane, and KeePassXC (local storage only) have strong security records and have not suffered comparable incidents.

Comparing Password Manager Options

Manager Open Source Audit Status Storage Free Tier Notable Features
Bitwarden Yes (GitHub) Cure53 audit 2022 Cloud or self-host Yes (full-featured) Most transparent; self-host option
1Password No Third-party audits Cloud only No (paid) Strong UX; Travel Mode feature
KeePassXC Yes Community-reviewed Local only Yes Maximum control; no cloud dependency
Dashlane No Third-party audits Cloud only Limited VPN bundled; breach monitoring
LastPass No Third-party audits Cloud only Limited (post-2022 restrictions) Market share declining post-breach

Bitwarden and Open Source Verification

Bitwarden occupies a distinctive position in the password manager landscape: it is fully open source, meaning its code can be independently inspected by anyone. It has undergone independent security audits (most recently by Cure53 in 2022, which found no critical issues) and supports self-hosting for users who want complete control over their data. For organizations and security-conscious individuals who want verified security properties rather than marketing claims, open source options offer a meaningful advantage.

The Bitwarden encryption architecture uses AES-256 CBC encryption with PBKDF2-SHA256 or Argon2id key derivation. The number of PBKDF2 iterations can be configured by users; Bitwarden recommends at least 600,000 iterations (as of 2023, aligning with OWASP guidance).

Passkeys: Beyond Passwords

The long-term future of authentication may not involve passwords at all. Passkeys — a standard developed by the FIDO Alliance and W3C, supported by Apple, Google, and Microsoft — replace passwords entirely with cryptographic key pairs.

When you create a passkey-protected account:

  1. Your device generates a public/private key pair
  2. The public key is sent to and stored by the service
  3. The private key never leaves your device

When you authenticate:

  1. The service sends a challenge
  2. Your device signs the challenge with the private key (after biometric verification)
  3. The service verifies the signature using the stored public key

Because no password is ever transmitted, there is nothing to phish, nothing to stuff, and nothing to crack. A database breach exposes only public keys, which are mathematically useless without the corresponding private keys. Passkeys also bind to the legitimate domain cryptographically — a passkey for "bank.com" will not authenticate to "b4nk.com."

Major services including Google, Apple, GitHub, PayPal, and Amazon support passkeys as of 2024. NIST's updated SP 800-63B (2024 revision) includes passkeys as a first-class authentication option. While the transition is gradual, passkeys represent the most significant structural improvement to consumer authentication security in decades — addressing the root causes of password-based compromise rather than mitigating symptoms.

Practical Takeaways

The most impactful changes most users can make: use a password manager to generate and store unique passwords for every account; enable multi-factor authentication on every account that offers it, prioritizing email, banking, and accounts used for other logins; and use a strong, memorable passphrase as the master password for the password manager itself.

Enable passkeys wherever they are available. When creating a new account, generate the password in your password manager rather than typing one yourself. Check your existing passwords using your password manager's breach-monitoring or reused-password features — most modern managers flag both.

For organizations storing passwords: there is no acceptable reason to use MD5 or SHA-1 for passwords in 2025. Use bcrypt, scrypt, or Argon2id with appropriate cost factors, always with unique per-user salts. Check whether the organization's password policy aligns with current NIST guidance — particularly eliminating forced expiration without cause and removing arbitrary complexity requirements that push users toward predictable patterns. Implement the HIBP API to reject known-compromised passwords at account creation.

References

  1. Hunt, T. (2024). Have I Been Pwned: Pwned Passwords. haveibeenpwned.com.
  2. NIST. (2024). Special Publication 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management (Revision 4 draft). National Institute of Standards and Technology.
  3. Goodin, D. (2016). "How the explosive 2012 LinkedIn breach directly led to Hillary Clinton email hack." Ars Technica, May 18.
  4. NordPass. (2024). Top 200 Most Common Passwords 2024. NordPass research.
  5. Akamai Technologies. (2023). State of the Internet: API Security. Akamai.
  6. Provos, N., & Mazieres, D. (1999). "A future-adaptable password scheme." USENIX Annual Technical Conference Proceedings.
  7. Munroe, R. (2011). "Password Strength." xkcd, comic #936. xkcd.com/936/.
  8. Krebs, B. (2022). "LastPass: Hackers stole customer vault data after recent breach." KrebsOnSecurity, December 23.
  9. Cure53. (2022). Bitwarden Security Audit Report. Cure53 GmbH.
  10. Florencio, D., & Herley, C. (2007). "A large-scale study of web password habits." Proceedings of the 16th International World Wide Web Conference.
  11. Weir, M., Aggarwal, S., de Medeiros, B., & Glodek, B. (2009). "Password cracking using probabilistic context-free grammars." IEEE Symposium on Security and Privacy.
  12. SpyCloud. (2024). 2024 SpyCloud Annual Identity Exposure Report. SpyCloud Inc.
  13. CISA. (2023). Weak Security Controls and Practices Routinely Exploited for Initial Access. Cybersecurity and Infrastructure Security Agency.
  14. FIDO Alliance. (2023). Passkeys: A New Paradigm for Passwordless Authentication. FIDO Alliance.
  15. Ur, B., et al. (2015). "Measuring real-world accuracies and biases in modeling password guessability." USENIX Security Symposium.

Tags

passwords cybersecurity hashing credential security password managers

Frequently Asked Questions

What is credential stuffing and why is it so effective?

Credential stuffing is the automated testing of username/password pairs stolen from one breach against hundreds of other services. It is effective because 44-65% of users reuse passwords across accounts — meaning a breach at a small forum can lead directly to account takeovers at their bank or email provider. Attackers use billions of credentials from known breaches and test them in automated campaigns at massive scale.

What are rainbow tables and how does salting defeat them?

A rainbow table is a precomputed lookup table mapping known password hashes to their original plaintext. Salting defeats rainbow tables by adding a unique random string to each password before hashing — meaning two users with identical passwords have different hashes, making any precomputed table useless. The attacker must then compute hashes individually, which becomes computationally prohibitive with modern slow hash algorithms.

Why does password length matter more than complexity?

Length increases the search space exponentially while complexity increases it only linearly. A 20-character lowercase-only password has roughly 3 billion times more combinations than an 8-character all-character password. NIST's 2017 guidelines explicitly shifted emphasis to length over complexity requirements, and recommend passphrases and breach-database checking over mandatory special characters.

Are password managers safe to use?

Password managers are dramatically safer than password reuse. They encrypt your vault with a master password that the vendor cannot see — a breach of their servers exposes only encrypted data. The risk of using a well-audited password manager (Bitwarden, 1Password) is almost always lower than the risk of reusing passwords or choosing weak passwords without one.

What is a dictionary attack in password cracking?

A dictionary attack tests passwords from wordlists of common words, phrases, and known breach data, then applies transformation rules (capitalize, add numbers, substitute symbols) automatically. 'P@ssw0rd' is as predictable to modern cracking tools as 'Password' — the substitution rules are all built in. Truly random passwords are the effective defense.

Share this article