3 August 2021

How hackers really crack your password

Passwords are like apples in a fictional garden, they’re perfectly ripe and there for the taking if you know how. Websites have a lot of different ways to store passwords. Like using hashing, salting, tokens, and two-factor authentication. To make things clear, passwords aren’t stored as words but as a set of encrypted characters called hashes, as shown in figure 1.

Password Encryption
Figure 1: password encryption (screenshot from the YouTube video)

The result of a hash

If a hacker wants to access your account, your password isn’t really needed. The hacker just needs to have to find the method that lets it decrypt that hash, or at least match it. For this reason, hacker communities created something called lookup tables and rainbow tables. Data files of common passwords that are pre hashed. If you hash the password “Password123” with the hashing method MD5, the result is shown in figure 2.

Password encryption
Figure 2: password encryption with MD5 (screenshot from the YouTube video)

The speed of cracking passwords

If a hacker did this beforehand and has millions of passwords, they can just compare them and then get access to your account. Hackers can do this comparison really fast. In a test for Ars Technica, a computer could try 350.000.000.000 combinations. As in, 350.000.000.000 password guesses every second. Think about how common your password is now.


But companies have a weapon against rainbow tables and it’s called salt. Basically, it’s taking random chunks of code and tosses them into that hashed password. If salted hashes are found, the rainbow tables are useless. Because they’re never going to find a match. Computers aren’t great at problem-solving, so even this little change can fumble automated hacking programs.

The consequence of salt

Without rainbow tables, hacking takes longer. Hackers have to find out how that salt was added. For example, this can be at the beginning of each password or it can be after the 15th character. Is it different for every user? Then they have to figure out what the salt characters are. One encryption named bcrypt puts a dollar sign at the beginning of every hash. But usually salted passwords are enough to stop a lot of hackers. Because it’s faster to change tactics and use dictionary attacks, or brute force attacks.

Dictionary and brute force attacks

Dictionary attacks use word lists to take common passwords like “Password123”, and just try them. They salt and hash them on the fly and compare them to passwords in the database at the speed of light. Brute force attacks are even crazier. They start with, for example, aaaa. Then salt and hash it in various ways and then compare those to the database. Then they try aaab, aaac, etc. They just take every possible combination, and it takes forever. When it comes to simple texts, computers are very fast. A hacker doing a test for Ars Technica cracked over 10.000 passwords in 16 minutes. By just trying combinations at random within password specifications. Like less than eight characters, using uppercases or lowercases.

Wi-Fi network

Hackers are in a constant race against time, not necessarily because the feds are right over their shoulder. But because once a company, agency or person realizes they’ve been hacked, they usually adjust their security. They go public or they change their password, which is why hackers just hack you as a person. If you are on an open Wi-Fi network without a password, you’re basically shouting your passwords for anyone listening to hear. Some hackers will set up fake free Wi-Fi points to get common passwords and email addresses. And others use spam.

Options for hacking

If you click on a Word document or a link in an email, it can execute code on your computer called malware. This is done to copy everything you type, including passwords and credit card numbers. Then the data is sent directly to the hacker. Others pose as Facebook security, as a representative of your bank or as the IT department. Some will even call you on the phone. Therefore, never give someone your password. If they are the company, they already have it.

How to set up a password

But as a hacker, why spend all that time hacking into a server if you can just trick into someone telling you their password. Moral of the story, use long complicated passwords and never use the same one twice. Long passwords are harder for dictionary and wordlist based attacks to solve quickly. It’s actually less important to use passwords with letters or numbers. But instead, use a long set of words like correcthorsebatterystaple or song lyrics. Easy to remember but so long, it could take hacking programs the years of computing time to guess them. (more information on choosing a password.)

Remember the old joke

It’s sort of like that old joke about running from a bear. You don’t have to be the fastest. You just don’t want to be the slowest.