How Do Hackers Guess Passwords?

On the previous page we looked at how hackers may try to steal your password. If they can't do this though then there's another tactic they can try - to simply guess it!

This is why passwords need to be strong - it's why they should be unique, over 8 characters long & contain a mixture of different characters. Read on to find out more.

Jump straight to topic:


Online password guessing

If hackers haven't managed to steal your password then one way they can still break into your web accounts is to simply try guessing it. Guessing passwords at random though is slow. Very slow.

It's limited not just by the speed of the website and the internet connection but also by any defences that the site might use, such as blocking an account after several failed logins, or the use of "Captchas" (such as images of letters in an obscure pattern that need to be typed in).

Yet despite this online password attacks are still commonplace - many users have poor password habits that make it worthwhile still for attackers to have a go at guessing them, whether the attacker is targetting a specific user or just simply looking for any user account they can access.

Attackers can use different strategies to increase their chances of success, with two of the most common being described below.

Password Spraying

Some passwords seem to be far more popular than others, with the most common ones (such as "123456" and "qwerty") being used by millions of people. Attackers can exploit this fact with a password spraying attack.

The concept is simple: instead of trying thousands of different passwords against a single account, attackers will take the opposite approach and try a single password (such as "Password1" or "Qwerty") against tens of thousands of different usernames (often leaked by another website hack), until a match is found. They may repeat this a few times using other popular passwords.

The advantage to the attacker of this method is that each user account (where the usernames tried are valid) will only have a few failed logon attempts against it, thus avoiding many common security defences such as account lockouts.

Credential Stuffing

One other popular form of online password guessing is known as "credential stuffing". In this method attackers take a list of usernames and known passwords stolen from a different website and try them all on the website they're targetting in the hope of finding a match.

Because many people often re-use their passwords across multiple websites then it can be quite likely for some of the username & password combinations to work on the website that is now being targetted.

This is an excellent reason why we should all never re-use passwords on different websites - see our guide for tips on how to make our passwords unique.


Offline password attacks

When the media report that passwords have been stolen from a website it's easy to think that the hackers got your actual password. And sometimes - sadly - this is true.

How websites store passwords

More often than not though what hackers actually get is a scrambled form of your password, known as a "password hash". These are a sequence of random looking numbers and letters that uniquely represent your password - for example 33c17d3eeaf581e7d4749173b1680e51 is the hash of the password [email protected].

You can't use a password hash itself to login with, however through clever mathematics hashes enable websites to know when a user has entered the correct password. For details on what hashing is and an introduction to how it works see our guide here.

Breaking hashes

When a hacker has a list of these hashes, stolen from a website that they or someone else has successfully hacked, they will often try to reverse engineer them to work out what the original passwords are. And once the attacker has the original passwords along with the username, they can then use these to try logging in to other websites with, for example by using a Credential Stuffing attack as mentioned above.

So how exactly are hashes broken?

The process by which a password is turned into a hash in the first place has 2 key characteristics:

  1. It's repeatable - any given password, put through the same hashing process, will always result in the same output every time.
  2. It's one way - just as scrambled eggs can’t be unscrambled, the hashing process can't be reversed to find the original password from a hash either;

But even though hashing can't be reversed, because it's repeatable then hackers can simply hash every possible password until a match is found. This is known as "brute forcing". This can be phenomenally fast too - billions of attempts per second can be tried.

Computers are able to try billions of different guesses per second to find a matching hash. It’s because of this that you need a strong password!

With over 200,000 words in the English dictionary (let alone any other languages), and with letter substitutions, capital letters, and symbols often thrown into the mix too, there's a lot of guesses that a hacker needs to try which can take time - even despite the sheer speed that computers can do this at. And this is even before we consider any precautions that a website has (hopefully) taken to strengthen the hash such as 'salting' it.

For this reason hackers will approach the reverse engineering of hashes systematically to speed it up.

1. Looking passwords up in a hash table

Because the hashing algorithms used by websites are well known (some of the common ones are called MD5, SHA-1, and SHA-256) then criminals have been able to pre-calculate billions of hashes over the last few years. These lists can freely be downloaded from the internet, enabling a quick lookup of a hash back into your original password.

If a website hasn't made any attempt to protect against this type of attack (for example by adding "salt" - see our next page), then your password really needs to be longer than 12 characters to stand any chance of not being in these lists.

2. Common passwords

Hackers will also try creating hashes of some of the more commonly used passwords, hoping to find a matching "hash" value to the one they've stolen. Over the last few years several major website breaches have revealed what the most commonly used passwords are, with some of the most popular being:

123456

000000

1234

12345

111111

123123

1234567

12345678

123456789

1234567890

abc123

admin

ashley

azerty

baseball

dragon

football

iloveyou

jesus

letmein

master

michael

monkey

mustang

ninja

password

password1

princess

qwerty

shadow

sunshine

trustno1

welcome

If your password is in this list then change it now! Even seemingly random passwords (such as monkey) aren't always as original as you might think.

And did you notice some common themes in that list too? Sequential numbers & letters (123456, abc123) are very common, as are keyboard patterns such as qwerty and azerty. And there's many more keyboard patterns in the top 100 passwords as well.

3. Dictionary-based attacks

If a hacker hasn’t had any luck with the most common passwords then they’ll next try running through entire dictionaries, starting with common categories of words such as:

  • Sports & sports teams;
  • Names - eg celebrities, family or friends, pets, or TV/film characters;
  • Places - eg countries, cities, or landmarks;
  • Hobbies;
  • Animals

Hackers will also try substituting letters, such as a ! for an i, or @ for an a. And have you ever added numbers to the end of your password, or an exclamation mark? Yep, they’ll try these methods too!

Other methods will include combining dictionary words together, sometimes with common word pairs already in the list like ihate, mycar, or allineed.

Getting this far will take hackers no more than a few minutes - it's scarily fast!

See how easily passwords which have some element of a dictionary word in them can be cracked in this great article from Ars Technica.

4. Pure guessing

The final method that hackers fall back to - if all else fails - is a true brute force method, trying all possible letter, number & symbol combinations. Passwords that aren't at least 8 characters long will now be broken within a matter of seconds.

This is why security experts urge everyone to choose long & complex passwords:

  • There are 308,915,776 possible 6-letter passwords made of lower case letters (from aaaaaa to zzzzzz). A computer trying 20 million guesses a second can crunch through these in just 15seconds.
  • Adding just 2 extra letters gives 676 times as many combinations (now 208,827,064,576).
  • And if we used upper case letters & numbers as well (giving a total of 26+26+10 = 62 possible characters per position) then a hacker's efforts will now take another 1000 times as long again.

By making just these small changes, the time taken to guess the password grows ridiculously quickly.

Length Character range used Example Possible combinations Time to crack
626
(lower case letters)
hrfsew308,915,77615 seconds
826
(lower case letters)
ieatcake208,827,064,5762.9 hours
862
(lower & upper case letters, numbers)
UAndMe15218,340,105,584,8964 months

Amazing what a tiny change can do isn’t it? Adding punctuation (eg ! £ $ %) will make it even harder still to guess.

It’s worth noting too that the speed quoted above - 20 million guesses / second - is a conservative figure of what a typical home PC can manage. Even in 2012 machines existed that were 12,000 times as fast, able to try over 348 billion passwords a second and cracking complex 8 character passwords in minutes. Scary isn’t it?

Some people have even gone so far as to calculate hashes for all possible passwords up to 10 characters in length. This is why the passwords for any high security systems always need to be at least 12 characters long.


Have any feedback on this page? Let us know - [email protected]