How Hackers Break Passwords
The common advice is that "strong" passwords are those which are over 8 characters long & contain a mixture of different characters. But have you ever wondered why?
In short, the main threat to your password is not a human trying to guess it - it's a computer. And since computers can try billions of passwords every second, it soon becomes obvious why we need to make our passwords difficult to guess.
This is the 2nd page in our guide on the technical aspects of passwords, including how hackers manage to get hold of passwords & break them. See also:
Jump straight to topic:
Online password guessing
As we saw on the previous page, one way that hackers can get your password is to simply try guessing it until the website logs them in. For attackers though, this is slow. Very slow.
It's limited not just by the speed of the website but also by any defences that the site might use, such as blocking an account after several failed logins, or the use of "Captchas" (such as images of letters in an obscure pattern that need to be typed in).
So, unless you're being specifically targetted, then hackers generally don't try this method. Instead the main reason for needing strong passwords is to defend against "offline" guessing, as we'll see below.
Offline password attacks
Trying to guess passwords by connecting to a website can be risky, so hackers prefer instead to do this on a computer not connected to the internet. This can be phenomenally fast - billions of attempts per second can be tried - and without any security restrictions from the website slowing them down.
So how exactly is this done?
How websites store passwords
When the media report that passwords have been stolen from a website it's easy to think that the hackers got your actual password. And sometimes - sadly - this is true.
More often than not though what hackers actually get is a scrambled form of your password.
Most websites don't store your password in the form that you type it and instead jumble it up into what is known as a "password hash". This is a sequence of random looking numbers and letters that uniquely represent your password, even though they bear no obvious resemblance to it. For details on what hashing is and how it's done see our page here.
Breaking hashes
Password hashes can't be used to login to websites with - criminals must first turn these hashes back into the original password if they want to access your account. The password hashing process has 2 key characteristics though:
- It's one way - just as scrambled eggs can’t be unscrambled, the hashing process can't be reversed to find the original password from a hash either;
- It's repeatable - any given password, put through the same hashing process, will always result in the same output every time.
But even though hashing can't be reversed, hackers can still find your password by simply running every possible combination of password through the hashing process (this process is well known) until a match is found. This is known as "brute forcing".
For example, a hacker with the hash value 33c17d3eeaf581e7d4749173b1680e51 (we told you they looked random!) will quickly discover by brute force that the original password is [email protected].
Computers are able to try billions of different guesses per second to find a matching hash. It’s because of this that you need a strong password!
Guessing passwords
It goes without saying that any criminal who's stolen millions of password hashes will want to discover the original passwords as quickly as possible - they'll want to be able impersonate victims online as soon as they can to start making themselves some money.
But with over 200,000 words in the English dictionary (let alone any other languages), and with letter substitutions, capital letters, and symbols, often thrown into the mix too, there's a lot of guesses that a hacker would need to start working through. For this reason they’ll approach it systematically to speed it up.
1. Looking passwords up in a hash table
Because the hashing algorithms used by websites are well known (some of the common ones are called MD5, SHA-1, and SHA-256) then criminals have been able to pre-calculate billions of hashes over the last few years. These lists can freely be downloaded from the internet, enabling a quick lookup of a hash back into your original password.
If all that the website has done to protect your password is to hash it without adding any "salt" (see our next page), then your password really needs to be longer than 12 characters to stand any chance of not being in these lists.
2. Common passwords
Hackers will also try some of the more commonly used passwords first too. Over the last few years several major website breaches have revealed what these are, with some of the most popular being:
123456
000000
1234
12345
111111
123123
1234567
12345678
123456789
1234567890
abc123
admin
ashley
azerty
baseball
dragon
football
iloveyou
jesus
letmein
master
michael
monkey
mustang
ninja
password
password1
princess
qwerty
shadow
sunshine
trustno1
welcome
If your password is in this list then change it now! Even seemingly random passwords (such as monkey) aren't always as original as you might think.
And did you notice some common themes in that list too? Sequential numbers & letters (123456, abc123) are very common, as are keyboard patterns such as qwerty and azerty. And there's many more keyboard patterns in the top 100 passwords as well.
3. Dictionary-based attacks
If a hacker hasn’t had any luck with the most common passwords then they’ll next try running through entire dictionaries, starting with common categories of words such as:
- Sports & sports teams;
- Names - eg celebrities, family or friends, pets, or TV/film characters;
- Places - eg countries, cities, or landmarks;
- Hobbies;
- Animals
Hackers will also try substituting letters, such as a ! for an i, or @ for an a. And have you ever added numbers to the end of your password, or an exclamation mark? Yep, they’ll try these methods too!
Other methods will include combining dictionary words together, sometimes with common word pairs already in the list like ihate, mycar, or allineed.
Getting this far will take hackers no more than a few minutes - it's scarily fast!
See how easily passwords which have some element of a dictionary word in them can be cracked in this great article from Ars Technica.
4. Pure guessing
The final method that hackers fall back to - if all else fails - is a true brute force method, trying all possible letter, number & symbol combinations. Passwords that aren't at least 8 characters long will now be broken within a matter of seconds.
This is why security experts urge everyone to choose long & complex passwords:
- There are 308,915,776 possible 6-letter passwords made of lower case letters (from aaaaaa to zzzzzz). A computer trying 20 million guesses a second can crunch through these in just 15seconds.
- Adding just 2 extra letters gives 676 times as many combinations (now 208,827,064,576).
- And if we used upper case letters & numbers as well (giving a total of 26+26+10 = 62 possible characters per position) then a hacker's efforts will now take another 1000 times as long again.
By making just these small changes, the time taken to guess the password grows ridiculously quickly.
| Length | Character range used | Example | Possible combinations | Time to crack |
|---|---|---|---|---|
| 6 | 26 (lower case letters) | hrfsew | 308,915,776 | 15 seconds |
| 8 | 26 (lower case letters) | ieatcake | 208,827,064,576 | 2.9 hours |
| 8 | 62 (lower & upper case letters, numbers) | UAndMe15 | 218,340,105,584,896 | 4 months |
Amazing what a tiny change can do isn’t it? Adding punctuation (eg ! £ $ %) will make it even harder still to guess.
It’s worth noting too that the speed quoted above - 20 million guesses / second - is a conservative figure of what a typical home PC can manage. Even in 2012 machines existed that were 12,000 times as fast, able to try over 348 billion passwords a second and cracking complex 8 character passwords in minutes. Scary isn’t it?
Some people have even gone so far as to calculate hashes for all possible passwords up to 10 characters in length. This is why the passwords for any high security systems always need to be at least 12 characters long.