How Hackers Break Passwords

The common advice is that "strong" passwords are those which are over 8 characters long & contain a mixture of different characters. But have you ever wondered why?

In short, the main threat to your password is not a human trying to guess it - it's a computer. And since computers can try billions of passwords every second, it soon becomes obvious why we need to make our passwords difficult to guess.

Jump straight to topic:


Online password guessing

As we saw on the previous page, one way that hackers can get your password is to simply try guessing it until the website logs them in. For attackers though, this is slow. Very slow.

It's limited not just by the speed of the website but also by any defences that the site might use, such as blocking an account after several failed logins, or the use of "Captchas" (such as images of letters in an obscure pattern that need to be typed in).

So, unless you're being specifically targetted, then hackers generally don't try this method. Instead the main reason for needing strong passwords is to defend against "offline" guessing, as we'll see below.


Offline password attacks

Trying to guess passwords by connecting to a website can be risky, so hackers prefer instead to do this on a computer not connected to the internet. This can be phenomenally fast - billions of attempts per second can be tried - and without any security restrictions from the website slowing them down.

So how exactly is this done?

How websites store passwords

When the media report that passwords have been stolen from a website it's easy to think that the hackers got your actual password. And sometimes - sadly - this is true.

More often than not though what hackers actually get is a scrambled form of your password.

Most websites don't store your password in the form that you type it and instead jumble it up into what is known as a "password hash". This is a sequence of random looking numbers and letters that uniquely represent your password, even though they bear no obvious resemblance to it. For details on what hashing is and how it's done see our page here.

Breaking hashes

Password hashes can't be used to login to websites with - criminals must first turn these hashes back into the original password if they want to access your account. The password hashing process has 2 key characteristics though:

  1. It's one way - just as scrambled eggs can’t be unscrambled, the hashing process can't be reversed to find the original password from a hash either;
  2. It's repeatable - any given password, put through the same hashing process, will always result in the same output every time.

But even though hashing can't be reversed, hackers can still find your password by simply running every possible combination of password through the hashing process (this process is well known) until a match is found. This is known as "brute forcing".

For example, a hacker with the hash value 33c17d3eeaf581e7d4749173b1680e51 (we told you they looked random!) will quickly discover by brute force that the original password is [email protected].

Computers are able to try billions of different guesses per second to find a matching hash. It’s because of this that you need a strong password!


Guessing passwords

It goes without saying that any criminal who's stolen millions of password hashes will want to discover the original passwords as quickly as possible - they'll want to be able impersonate victims online as soon as they can to start making themselves some money.

But with over 200,000 words in the English dictionary (let alone any other languages), and with letter substitutions, capital letters, and symbols, often thrown into the mix too, there's a lot of guesses that a hacker would need to start working through. For this reason they’ll approach it systematically to speed it up.

1. Looking passwords up in a hash table

Because the hashing algorithms used by websites are well known (some of the common ones are called MD5, SHA-1, and SHA-256) then criminals have been able to pre-calculate billions of hashes over the last few years. These lists can freely be downloaded from the internet, enabling a quick lookup of a hash back into your original password.

If all that the website has done to protect your password is to hash it without adding any "salt" (see our next page), then your password really needs to be longer than 12 characters to stand any chance of not being in these lists.

2. Common passwords

Hackers will also try some of the more commonly used passwords first too. Over the last few years several major website breaches have revealed what these are, with some of the most popular being:

123456

000000

1234

12345

111111

123123

1234567

12345678

123456789

1234567890

abc123

admin

ashley

azerty

baseball

dragon

football

iloveyou

jesus

letmein

master

michael

monkey

mustang

ninja

password

password1

princess

qwerty

shadow

sunshine

trustno1

welcome

If your password is in this list then change it now! Even seemingly random passwords (such as monkey) aren't always as original as you might think.

And did you notice some common themes in that list too? Sequential numbers & letters (123456, abc123) are very common, as are keyboard patterns such as qwerty and azerty. And there's many more keyboard patterns in the top 100 passwords as well.

3. Dictionary-based attacks

If a hacker hasn’t had any luck with the most common passwords then they’ll next try running through entire dictionaries, starting with common categories of words such as:

  • Sports & sports teams;
  • Names - eg celebrities, family or friends, pets, or TV/film characters;
  • Places - eg countries, cities, or landmarks;
  • Hobbies;
  • Animals

Hackers will also try substituting letters, such as a ! for an i, or @ for an a. And have you ever added numbers to the end of your password, or an exclamation mark? Yep, they’ll try these methods too!

Other methods will include combining dictionary words together, sometimes with common word pairs already in the list like ihate, mycar, or allineed.

Getting this far will take hackers no more than a few minutes - it's scarily fast!

See how easily passwords which have some element of a dictionary word in them can be cracked in this great article from Ars Technica.

4. Pure guessing

The final method that hackers fall back to - if all else fails - is a true brute force method, trying all possible letter, number & symbol combinations. Passwords that aren't at least 8 characters long will now be broken within a matter of seconds.

This is why security experts urge everyone to choose long & complex passwords:

  • There are 308,915,776 possible 6-letter passwords made of lower case letters (from aaaaaa to zzzzzz). A computer trying 20 million guesses a second can crunch through these in just 15seconds.
  • Adding just 2 extra letters gives 676 times as many combinations (now 208,827,064,576).
  • And if we used upper case letters & numbers as well (giving a total of 26+26+10 = 62 possible characters per position) then a hacker's efforts will now take another 1000 times as long again.

By making just these small changes, the time taken to guess the password grows ridiculously quickly.

Length Character range used Example Possible combinations Time to crack
626
(lower case letters)
hrfsew308,915,77615 seconds
826
(lower case letters)
ieatcake208,827,064,5762.9 hours
862
(lower & upper case letters, numbers)
UAndMe15218,340,105,584,8964 months

Amazing what a tiny change can do isn’t it? Adding punctuation (eg ! £ $ %) will make it even harder still to guess.

It’s worth noting too that the speed quoted above - 20 million guesses / second - is a conservative figure of what a typical home PC can manage. Even in 2012 machines existed that were 12,000 times as fast, able to try over 348 billion passwords a second and cracking complex 8 character passwords in minutes. Scary isn’t it?

Some people have even gone so far as to calculate hashes for all possible passwords up to 10 characters in length. This is why the passwords for any high security systems always need to be at least 12 characters long.


Have any feedback on this page? Let us know - [email protected]