Online password guessing
If hackers haven't managed to steal your password then one way they can still break into your web accounts is to simply try guessing it. Guessing passwords at random though is slow. Very slow.
It's limited not just by the speed of the website and the internet connection but also by any defences that the site might use, such as blocking an account after several failed logins, or the use of "Captchas" (such as images of letters in an obscure pattern that need to be typed in).
Yet despite this online password attacks are still commonplace - many users have poor password habits that make it worthwhile still for attackers to have a go at guessing them, whether the attacker is targetting a specific user or just simply looking for any user account they can access.
Attackers can use different strategies to increase their chances of success, with two of the most common being described below.
Some passwords seem to be far more popular than others, with the most common ones (such as "123456" and "qwerty") being used by millions of people. Attackers can exploit this fact with a password spraying attack.
The concept is simple: instead of trying thousands of different passwords against a single account, attackers will take the opposite approach and try a single password (such as "Password1" or "Qwerty") against tens of thousands of different usernames (often leaked by another website hack), until a match is found. They may repeat this a few times using other popular passwords.
The advantage to the attacker of this method is that each user account (where the usernames tried are valid) will only have a few failed logon attempts against it, thus avoiding many common security defences such as account lockouts.
One other popular form of online password guessing is known as "credential stuffing". In this method attackers take a list of usernames and known passwords stolen from a different website and try them all on the website that they're targetting, in the hope of finding a match.
Because many people often re-use their passwords across multiple websites, then it is likely that at least some of the username & password combinations will work on the website being targetted.
This is an excellent reason why we should all never re-use passwords on different websites - see our tips of how to make our passwords unique.
Offline password attacks
When the media report that passwords have been stolen from a website it's easy to think that the hackers got your actual password. And sometimes - sadly - this is true.
How websites store passwords
More often than not though what hackers actually get is a scrambled form of your password, known as a "password hash". These are a sequence of random looking numbers and letters that uniquely represent your password - for example 33c17d3eeaf581e7d4749173b1680e51 is the hash of the password Passw@rd1.
You can't use a password hash itself to login with, however - through some clever mathematics - hashes enable websites to know when a user has entered the correct password. For details on what hashing is and an introduction to how it works see our guide here.
When a hacker has a list of these hashes (eg stolen from a website that they or someone else has successfully hacked) they will often try to reverse engineer them to work out what the original passwords are. And once the attacker has the original passwords, along with the username, they can then use these to try logging in to other websites with, for example by using a Credential Stuffing attack as mentioned above.
So how exactly are hashes broken?
The process by which a password is turned into a hash in the first place has 2 key characteristics:
- It's repeatable - any given password, put through the same hashing process, will always result in the same output every time.
- It's one way - just as scrambled eggs can’t be unscrambled, the hashing process can't be reversed to find the original password from a hash;
But even though hashing can't be reversed, because it's repeatable then hackers can simply hash every possible password until a match is found. This is known as "brute forcing". This can be phenomenally fast - in some cases billions of passwords can be tried each second.
Computers are able to try billions of different guesses per second to find a matching hash. It’s because of this sheer speed that you need a strong password!
With over 200,000 words in the English dictionary (let alone any other languages), and with letter substitutions, capital letters, and symbols often thrown into the mix too, there's a lot of guesses that a hacker needs to try which can take time - even despite the sheer speed that computers can do this at. And this is even before we consider any precautions that a website has (hopefully) taken to strengthen the hash such as 'salting' it.
For this reason hackers will approach the reverse engineering of hashes systematically to speed it up.
1. Looking passwords up in a hash table
Because the hashing algorithms used by websites are well known (some of the common weaker ones are called MD5, SHA-1, and SHA-256) then criminals have been able to pre-calculate billions of hashes over the last few years. These lists can freely be downloaded from the internet, enabling a quick lookup of a hash back into your original password.
If a website hasn't made any attempt to protect against this type of attack (for example by adding "salt" - see our next page), then your password really needs to be longer than 12 characters to stand any chance of not being in these lists.
2. Common passwords
Hackers will also try creating hashes of some of the more commonly used passwords, hoping to find a matching "hash" value to the one they've stolen. Over the last few years several major website breaches have revealed what the most commonly used passwords are, with some of the most popular being:
If your password is in this list then change it now! Even seemingly random passwords (such as monkey) aren't always as original as you might think.
And did you notice some common themes in that list too? Sequential numbers & letters (123456, abc123) are very common, as are keyboard patterns such as qwerty and azerty. And there's many more keyboard patterns in the top 100 passwords as well.
3. Dictionary-based attacks
If a hacker hasn’t had any luck with the most common passwords then they’ll next try running through entire dictionaries, starting with common categories of words such as:
- Sports & sports teams;
- Names - eg celebrities, family or friends, pets, or TV/film characters;
- Places - eg countries, cities, or landmarks;
Hackers will also try substituting letters, such as a ! for an i, or @ for an a. And have you ever added numbers to the end of your password, or an exclamation mark? Yep, they’ll try these methods too!
Other methods will include combining dictionary words together, sometimes with common word pairs already in the list like ihate, mycar, or allineed.
Getting this far will take hackers no more than a few minutes - it's scarily fast!
See how easily passwords which have some element of a dictionary word in them can be cracked in this great article from Ars Technica.
4. Pure guessing
The final method that hackers fall back to - if all else fails - is a true brute force method, trying all possible letter, number & symbol combinations. Passwords that aren't at least 8 characters long will now be broken within a matter of seconds.
This is why security experts urge everyone to choose long & complex passwords:
- There are 208 billion possible 8-letter passwords made of lower case letters (from aaaaaaaa to zzzzzzzz). A computer trying 40 billion guesses a second can crunch through these in 5 seconds.
- Adding just 2 extra letters, and using upper case letters too, gives 692,224 times as many combinations. This will take a month to crack.
- And added 2 more characters, and used numbers as well (giving a total of 26+26+10 = 62 possible characters per position) then a hacker's efforts will now take over 3000 times as long again.
By making just these small changes, the time taken to guess the password grows ridiculously quickly.
|Character range used
|Time to crack
(lower case letters)
(lower & upper case letters)
(lower & upper case letters, numbers)
Amazing what a tiny change can do isn’t it? Adding punctuation symbols (such as ! £ $ %) will make it even harder still to guess.
It’s worth noting too that the speed quoted above - 40 billion guesses / second - is a conservative figure of what a typical home PC can manage. Some high-spec home computers are able to try over 160 billion passwords a second - now imagine what a dedicated supercomputer is capable of! Scary isn’t it?
This is why the passwords for any high security systems always need to be at least 12 characters long as a bare minimum.