You’ve probably heard about cracking passwords in movies and TV shows, but many people don’t know what the process actually entails. In this article, we will dive in deep and cover all of the different ways that passwords can be cracked, some similar attacks that result in stolen passwords, how stolen passwords can cause damage, and the protective measures that both users and developers can adopt in order to keep their passwords safe.
What are passwords for, anyway?
It may seem like an obvious question, but you may have never thought about the role that passwords actually play in your overall security. In short, they provide authentication. They are essentially just secrets that only authorized people should know. The security controls assume that if you know the secret, then you are authorized to enter.
Along with user names, handing over a password is basically a shorthand way of saying, “Yes, it’s me. We previously agreed that I am allowed to access this specific set of resources and data, so please let me in.” While this is way more convenient than showing someone your ID every time you want to log in to your email, it can cause problems. What if someone else gets ahold of your password?
If the secrets of your online life are guarded by a fortress of security mechanisms, you can view password controls as the gatekeeper. The gatekeeper lets anyone in as long as they know the password. The turrets, the walls, the moat, the drawbridge—they can only protect you if the gatekeeper and the password keep the bad guys out.
If an attacker can figure out the password and they tell it to the gatekeeper, the gatekeeper will let them in. All of the security controls suddenly become meaningless, and the attacker will gain access to everything that you can access. Control of the account, private information, messages, financial data—they can even change the password themselves. All of this can easily fall into an attacker’s hands if they can crack or figure out the password.
The safety of your online kingdom is all tied up under the assumption that hackers will not be able to figure out your passwords. If this assumption doesn’t hold, it all goes up in a puff of smoke.
Before we jump in too far, we want you to make sure that you already have strong and unique passwords for each of your accounts. If you don’t already have long and complex passwords for all of your important logins, go to the linked article, get a password manager, and set the passwords up now. While learning about brute forcing, dictionary attacks and all of the other cracking techniques is important, you can do that after you take the first steps toward boosting your online security.
Why are passwords cracked?
As you have probably guessed, password cracking is performed to gain access to an account. One of the most common motives is if an attacker wants to gain access to resources or information that they aren’t authorized to touch. This will be the main focus of our article, and we will discuss the possible outcomes of this in the next section.
However, there are more legitimate reasons to crack passwords as well. One example is law enforcement trying to access data from a criminal who won’t hand over their password. If they think that they may be able to access information that helps them solve a case or shut down a criminal organization, it may be worthwhile for them to go to the effort of cracking a password.
Another legitimate reason for password cracking is when network administrators or penetration testers want to gauge the strength of the passwords on their systems. Sometimes they will attempt to crack all of the passwords used within the organization. If they can crack any of the passwords, then it follows that attackers will be able to crack them too. If the admin or the pen tester succeed, they can then advise the individual responsible about how insecure and easily broken their password is, then give them tips to create a safer password.
Password cracking may also be an option if a user forgets their password and password recovery is either unsuccessful or unavailable. However, because password cracking can be so time-consuming and resource-intensive, this is generally only practical if the user has a weak password, or if the data that has been locked up is incredibly valuable (think Bitcoin wallets). In other circumstances, it can be hard to justify the effort involved in password cracking.
What can happen if a hacker cracks your passwords?
If an attacker can crack your password, this grants them access to everything you can normally access. They can steal your personal information, insurance information, health data, payment details and more. They may sell these details on darknet marketplaces, or use them themselves to either escalate their attack or try to reap financial rewards.
This can lead to things like credit card fraud, insurance fraud, or even identity theft, which can have huge long-term and expensive consequences for you.
Hackers can completely take over your account and perform any actions that you can make. The consequences will depend on the type of accounts, but they may include:
- Impersonating you
- Posting private information
- Trying to infect your contacts with malware
- Transferring money to their own accounts
- Deleting your files
- Encrypting your files and seeking a ransom
- Attempting to escalate privileges to gain access to other resources
In the case of paid accounts like Netflix, Spotify and VPNs, they may even sell your account on the darknet. People purchase these credentials so that they can access the services at a much lower rate.
The above possibilities are far from exhaustive. As you can see, a tremendous amount of damage can happen when an attacker cracks a password. This is why it’s so critical for service providers to securely set up their password infrastructure, and for users to only create secure passwords.
Alternatives to password cracking
A lot of the time, hackers don’t actually bother cracking passwords. Cracking a good password can be a difficult and time-consuming process, so they often resort to other techniques. A few of the more common options include:
Phishing and other forms of social engineering
You know what’s easier than cracking a password? Asking someone for it.
One of the most common techniques for attaining passwords is simply to trick the victim into handing it over. This is especially true when specific individuals or organizations are being targeted. Rather than trying to brute force their way in, attackers can simply try social engineering instead.
As an example, they could send a phishing email that links to a fake login page for the target’s bank. All they have to do is send something along the following lines in an official looking email:
We regret to inform you that we have detected suspicious activity and the password to your bank account may be compromised. Please head to the following URL, enter your old login details, and then change your password:
When people receive a message like this, they often react without thinking. After all, it’s an emergency, and their money is at stake! They may fall right into the attacker’s trap and go to the fake website and enter their password, sending it straight into the attacker’s hands. It doesn’t matter that the entire email was fake and the attacker never had their email to begin with. Once the victim types it into the fake login page, the attacker has the login details they need to cause all kinds of mayhem.
Phishing and other types of social engineering make it easy for attackers to get the passwords they want. Instead of trying billions of combinations, they can get the password in minutes. All it takes is a little bit of con artistry.
Another option for stealing passwords is to infect targets with malware. Many strains of malware can log keys, access the clipboard and sniff network packets, all of which may be able to send passwords to a server controlled by an attacker. Once more, this can be a lot easier than brute forcing a password.
Attackers can also turn to the disgruntled employees of a targeted organization and convince these workers to give them their login details. They could also just bribe employees to hand over their own passwords, the passwords of their colleagues, or the password database.
These are known as insider threats and they present a tremendous challenge to organizations. These employees clearly need their login details in order to complete their work, but if they can be convinced to give their passwords to an attacker, the attacker will be able to access all of the resources that are available to the employee.
When an account is protected by SMS authentication the attacker may not even need the password. Instead, they can perform what’s known as a sim-swapping attack. Basically, all they have to do is call up the phone company and impersonate you. They tell the operator that you are changing sim cards, hand over a few of your personal details and then convince the operator to switch over your old phone number to the new sim card.
This means that the attacker will now get all of the incoming messages, including your two-factor authentication messages. They can then simply ask for the password of an account to be reset, intercept the authentication code, and then change the password to whatever they want. When SMS authentication is protecting an account, it can be this easy for an attacker to take control of it, all without ever actually needing your password.
Hackers often target companies in attempts to steal valuable data from their servers. Among their targets are password databases, which can grant them access to all of the user accounts. These days, it’s relatively rare for the passwords to be stored as plaintext, but if they are, it makes a hacker’s life incredibly easy. Most of the time only the password hashes are stored, which hackers still have to crack. We discuss these in more depth later in the article.
Shoulder surfing and related techniques involve someone close to you figuring out your password. Perhaps it’s a colleague, a family member, an acquaintance or someone you thought was your friend. They may either look over your shoulder while you type in your password, or if you store your passwords insecurely, they may be able to find them. This is why you should never keep your password on a Post-It note on your monitor, or in an easily accessible file on your computer. Ultimately, it could lead to an attacker stealing your password and accessing your accounts.
How do hackers crack your passwords?
If none of the above options are suitable, an attacker may decide that the best choice is to go with some form of password cracking.
However, the specifics of how they go about it, the techniques they employ, the likelihood of success and the time it may take will depend on a wide range of factors. We will discuss each of the different types of password cracking in detail later in the article.
First, let’s give you a quick run down on some of the variables and how these may influence the paths that attackers take. You will come across a few terms that we haven’t introduced yet, but don’t worry, we will cover these in detail later on. These variables include:
The information that the hacker already has access to
- Does the attacker have usernames and matching passwords in plaintext? If so, they can directly input these login details into the targeted system and access the accounts.
- Does the attacker have the password hashes for the accounts they are trying to target? If so, they can either look up the hash in a rainbow table or compute password and hash combinations until they find a match. If they succeed, they can then use the password to log in.
- Does the attacker have a list of usernames but no passwords? If so, they will have to try common passwords against the system in a password spraying attack.
- Does the attacker have usernames and either passwords or password hashes for the accounts of a single service provider? If so, they can try using these same login details against other service providers in a credential stuffing attack.
The security mechanisms that are in place
If an attacker does not have the password hashes, they will have to test the password against the security controls. These may include:
- Login restrictions — A limited number of login attempts may be allowed before the account is locked. This lockout may be for a set period or until further verification is given.
- CAPTCHAs — These can either make it impractical for the attacker to automate their attempts, or slow them down significantly.
- Two-factor authentication — When two-factor authentication is also in place, the password will not be sufficient for the attacker to gain access. They will also need the code from an app, SMS or token in order to successfully log in.
If these security controls are in place, they may limit the attacker to password spraying attacks.
The techniques available to an attacker may vary depending on whether the attacker is targeting a specific individual or organization, or if their main goal is financial rewards from any potential victims:
- Credential stuffing will only work against an individual if the individual uses the same username and password across multiple accounts.
- Credential stuffing will only work against an organization if some of its employees use the same usernames and passwords across multiple accounts.
- Credential stuffing can be effective if there are no particular targets. The attackers can simply go through the breached database of usernames and passwords, and then try each one against a bunch of other common accounts. If the user uses the same login details across multiple accounts, the attackers will get a match and be able to access the other accounts. If the attacker only has password hashes, this complicates credential stuffing, but does not make it impossible.
- Password spraying will only work against an organization if some of its employees use simple or common passwords.
- Password spraying can be effective if there are no particular targets. Attackers can cycle through a list of usernames and attempt to unlock the accounts with a list of the most common passwords. While they will generally be limited by how many attempts they can make at once, when they are targeting tens of thousands or hundreds of thousands of users at once, they can still find matches over time.
- If hackers have a database of hashed passwords and there are no particular targets, they can attempt to figure out the passwords for anyone in the database. If they succeed, they may be able to access their accounts.
How complex the password is:
- If the password is simple or commonly used, password spraying may be effective.
- If the attacker has the password hash and the password is simple and commonly used, an attacker may already have the password in their rainbow table. If so, the attacker can try this password against the security controls of the account.
- If the attacker has the password hash, and the password is complicated or less common, the hacker may have to attempt to compute it themselves. This can be time-consuming, resource intensive, and there is no guarantee that it will work. However, if the attacker is able to come up with a match, they can then try the matching password against the security systems.
Password complexity and the ease of cracking a password
It’s common to think that a password’s security is dependent only on its length and whether special characters and case mixing are used. A longer password requires more guesses to crack, and special characters can make the password even more difficult to guess. While these can play important roles, the randomness of the password is also crucial.
This is because password cracking only tends to involve guessing every single possible combination as a last resort—it’s simply too inefficient to turn to it at first. The reality is that as humans, we are relatively predictable creatures and we tend to use similar patterns in our passwords. If you want to figure out a password as quickly and easily as possible, it makes sense to focus your attempts along these patterns. This approach is known as a dictionary attack, which we will cover more thoroughly in the Cracking passwords with dictionary attacks section.
Let’s demonstrate this concept by taking a guess about your own password: If your password uses numbers, are they either exclusively at the end of the password, or replacing some of the letters like in leetspeak (using 5 instead of S, etc..)?
A bunch of readers are probably nodding along, because many of us follow these kinds of predictable patterns.
Since we tend to operate along patterns, attackers would be wasting their time if they systematically went through every single possible password combination. It makes far more sense for them to go through the most common passwords and the more likely patterns first, and only turn to systematically going through every combination if these attempts fail.
This reality has huge ramifications for how we choose our passwords and how secure they actually are against attacks.
Is your password really as random as you think it is?
The point is that we may think that something like Y4nk335w1!!w1n is a totally random password that is hard to guess, when it really isn’t. For one, it’s a grammatically correct English sentence (Yankees will win), with a bunch of substitutions that are actually really common and well known to hackers.
When you think of all possible character combinations, only a minuscule fraction comes close to being a grammatically correct English sentence. If a hacker chooses to begin their guesses by pursuing combinations that are somewhat grammatically correct, they have already narrowed down their search field substantially, which could significantly hasten the time it takes to find the correct password.
On top of the fact that this password is roughly grammatically correct, if the hacker knows that the target is from New York or a Yankees fan, they can add these types of details into their password cracking program to speed up the search even more. They do this through wordlists, which we will discuss in the Cracking passwords with custom wordlists section.
Even though Y4nk335w1!!w1n is 14 characters, it’s nowhere near as secure as an equivalent password that is randomly generated, such as HwUzNfKpUnf4e5. The KeePass password generator says that this new password has 76 bits of entropy, which is likely far more than the Yankees password, making it much more unlikely for a hacker to be able to figure it out.
The major takeaway is that a password’s strength is dependent on both its length and its randomness, and that people are quite poor at actually adding randomness to their passwords, which makes a hacker’s job much easier. We will discuss how you can easily implement more random passwords in the For users section toward the bottom of the article.
Password cracking techniques
We have already briefly mentioned most of these techniques. Now it’s time to give you a full rundown:
Attempting a known password against a login system
It’s hard to count this as password cracking, but sometimes hackers do come across plaintext passwords, so we will quickly include it so that you don’t think that we forgot something. If an attacker comes across a set of credentials or even a whole username and password database stored in plaintext, their work is incredibly easy.
All they have to do is go to the login page for the account and try to log in using the details they have. If the user has not changed their password since it came into the hacker’s hands, and there are no additional authentication measures like 2FA, then the hacker will have direct access to the account. Once they are in, they can do with it what they please. This is a quick and simple process compared to the other techniques we will discuss.
If a hacker has a list of plaintext usernames and passwords from a single service provider, they can try using those same usernames and passwords on other accounts in what are known as credential stuffing attacks.
This type of attack takes advantage of the fact that people often use the exact same passwords across multiple accounts. The result is that if there is a password breach at one of their service providers, then hackers can use credential stuffing against all of the person’s other accounts. This is why it’s so important to use unique passwords for every single one of your accounts.
Credential stuffing attacks are relatively simple once the hacker has the usernames and passwords in hand. Let’s say that the breach came from Facebook. All that the hacker has to do is try the very same username and password combinations on Google, email accounts, Spotify, Netflix, bank accounts, Amazon, other online retailers, and the host of other common places where people may have accounts.
If the username and password combination work, it means that the person used the same password across multiple accounts. Once the attacker successfully logs in, they have complete control of the account and can do anything that the user can.
Cracking passwords with a password hash
In many situations, a hacker may have access to the password hash, but not the password. The general best practice is for databases to store user passwords as hashes, rather than the passwords themselves in plaintext. A hash is simply the output from a hash function, a one-way function that is deterministic and is unfeasible to reverse.
How hashes are uses to secure passwords
When a password gets put through a secure hash function, the resulting value is essentially unique, but it cannot be used to figure out what the original password was.
This means that when a user signs up for an account and enters their password, the system can immediately run the password through a hash function, and only store the unique hash value, and never the password itself.
With this setup, whenever a user tries to log in and enters their password, the password is immediately hashed and not stored. The login system then takes this hash and compares it against the password hash that it has in its database for that particular user. If the two hashes match, the system knows that the same password has been entered.
This means that the system has a way to verify that the correct password has been typed in, without having to store the password in plaintext. If the system is ever hacked and the password database is stolen, hackers don’t end up with a bunch of passwords as plaintext. Instead, they just end up with a bunch of password hashes.
If the attackers had encountered the passwords in plaintext, they would have been able to take these passwords and log into the accounts just as easily as the users could. When attackers only have access to the hashes, they have to be able to figure out the passwords from the hashes, which can complicate things substantially.
Figuring out simple passwords from password hashes
In some cases, this is relatively easy. There is a range of software like RainbowCrack or ophcrack, which can either generate hashes for potential password combinations, or look up a hash against pre-computed tables. These tables are known as rainbow tables, and they generally feature the most common passwords alongside their matching password hashes.
Attempting only the most common and likely password and password hash combinations is known as a dictionary attack, and we will discuss these in more depth toward the end of our article.
If an attacker has a password hash, all they have to do is use the software to look it up against the pre-computed rainbow tables. If it’s a common or simple password, it’s likely that the hacker will find a matching hash in the database, and they can then attempt to log in to the service with the corresponding password.
If the user has not changed their password since the hash was stolen and there are no other security controls, the attacker will be able to access their account with the password that matches the hash.
The benefit of using password hashes is that they allow the hacker to figure out the password offline. Because they are trying to find the matching password on their own computer, they are not subject to any lockouts, CAPTCHAs, or other restrictions that may be present if they are trying to log in against the security controls of a website.
Figuring out complex passwords from password hashes
In cases where the password is not found in any of the rainbow tables, it’s likely that a more complex password has been used, or that the password has been salted. An attacker can try to use the software to attempt to generate new passwords and the matching hashes themselves.
The probability of success will depend on the complexity of the password, as well as the amount of computing resources the attacker has at their disposal. In many cases, it will be unfeasible to find the password in this way, but it all depends on how much effort the attacker is willing to expend.
Where do hackers get password hashes from?
As we mentioned, passwords should never be stored in plaintext, because it makes hackers’ lives too easy and leaves users incredibly vulnerable. Sometimes it is still done, but the people who set up those systems are terrible at their jobs.
So, we know that passwords should be stored as hashes so that when a user enters their password, it can still be verified against the hash in the system. The problem is that the hashes still have to be stored, and anything that is stored can be stolen.
Hackers could get the password hashes from the server they are stored on in a number of ways. These include through disgruntled employees, SQL injections and a range of other attacks. Whether the organization has good security or poor security, the possibility of the password hashes being stolen remains. The only difference is just how easy it will be, and whether it is actually worth the effort to a potential attacker.
Another source of password hashes is through network protocols like WPA2-PSK and NTLM, which send password hashes over the network. In many cases, packets containing these hashes may not be encrypted, so if an attacker is listening in they can easily steal the password hash.
What options are available if the hacker does not have the hash?
In many cases, a hacker will lack plaintext passwords and password hashes. However, there are still some options that they can pursue:
Cracking passwords with brute force
On the other end of the spectrum are brute force attacks. If an attacker doesn’t have the password or the password hash, they can just try using brute force. There’s nothing elegant about brute force attacks. They simply involve using every single possible password combination in a methodical way. The hope is that eventually the attacker will land on the correct password, which will grant them access to the account.
Let’s look at a very simple version of a brute force attack. If you have a 4-digit PIN code for your ATM, that means that there are 10,000 separate possible combinations, from 0 to 9999. If an attacker wants to steal some of your cash, and they can’t just look over your shoulder, their best bet is to simply try every single combination in order.
0001, 0002, 0003, and so on, up until 9999.
If they were to attempt a more haphazard manner (8726, 9462, 1244, 4625… etc.) they may end up putting in the same numbers multiple times, or completely forgetting to attempt some combinations.
With a systematic attempt like the one mentioned above, mathematically speaking, you would expect the attacker to come across the PIN code at somewhere around the 5,000th attempt, although of course, this is just an average.
Brute forcing is relatively simple. It’s slow and monotonous, but it gets you there eventually, as long as you have enough time. With the example that we just gave, the process would be a hassle, but finding the PIN code is still certainly a possibility.
But what if we are talking about a complex 40-character password with an astronomical number of possible combinations? Even if you had the resources to guess millions of attempts per second, you might not stumble across the password within your lifetime. With this in mind, brute forcing passwords is certainly a viable option against simple passwords, but it’s impractical against complex ones.
When we went through the example you mentioned above, you may have been thinking that it would be impossible because ATMs tend to limit the number of login attempts you can make. This is certainly true, which is why we were just demonstrating the concept, not saying that it’s actually feasible in real life.
The same problem applies to many other login systems, which can make brute forcing impractical in many real-life scenarios. You will either be locked out after a few attempts, or face regular CAPTCHAs that make it hard to automate the guesses. These defenses make brute forcing far too inefficient, meaning that it’s rarely used in these contexts.
It’s worth noting that if a hacker has the password hashes, they can also use a brute force approach to try every single password and hash combination on their own hardware. This is in contrast to dictionary attacks, which are more efficient.
Cracking passwords with dictionary attacks
While brute force attacks may help to find the password eventually, they take up a lot of time and energy. The reality is that most people don’t use completely random passwords, except for in the rare cases when they are created by a password generator. This means that brute forcing will end up attempting a whole bunch of passwords that are incredibly unlikely.
In many cases, it’s much faster to launch what are known as dictionary attacks, which essentially go through the most common passwords, words and patterns. These are far more likely to actually be used as passwords, which means that there’s a good chance that a dictionary attack will make it much quicker and less resource-intensive to figure out the correct password.
However, in many contexts, we run into the same problem as above, with security mechanisms like login attempt limits and CAPTCHAs preventing us from attempting a near-endless stream of possible combinations.
Just as with brute forcing, if an attacker already has password hashes, they can use dictionary attacks to try and find a matching password offline. In many cases, this will be far quicker than brute forcing the password, and it allows attackers to circumvent any security mechanisms that may be in place. For this reason, dictionary attacks are generally attempted before attackers resort to attempting to brute force a password.
Cracking passwords with custom wordlists
Just as dictionary attacks can be leaps and bounds more efficient than brute force attacks, adding customized wordlists can make things faster by tailoring the attack toward specific targets. If you know the target’s name, address, hobbies, birthday, family details and more, you can add all of this data into the software and incorporate it into the password combinations you are attempting. There are a range of tools that can do this, with one example being the Common User Passwords Profiler (CUPP).
If an attacker has a list of usernames but no password hashes or plaintext passwords, they do still have one option to try and crack passwords. Password spraying involves attempting to crack the passwords of as many unique accounts as possible. It doesn’t have a particularly high rate of effectiveness, but it’s possible to launch these attacks at a massive scale, which can make up for it.
All a hacker has to do is try the most common passwords against as many accounts as possible. They may begin with attempts like password1 and 123456, and slowly work their way up to more complex passwords.
The genius thing about password spraying is that it involves relatively infrequent attempts against each account. If an attacker only tries two attempts, then waits a week before returning to that particular account, it’s less likely that they will trigger the security mechanisms that would lock them out.
Of course, if an attacker was only interested in targeting specific accounts, this technique would take far too long to be a viable option. However, if they are doing the same thing against tens or hundreds of thousands of accounts at a time, it won’t take too long until they come across some people who use horrendously simple passwords. It’s simply a numbers game, and over time, password spraying allows attackers to access accounts that are secured with poor passwords.
How to defend against password cracking?
It’s best to consider password defense from both the perspective of the user and the developer. A user can follow all of the best practices, but these don’t do anything to keep them safe if the password is stored in plaintext. While there are a lot of steps that developers can take to minimize the risk of users adopting dangerous password practices, they can’t stop them from doing things like using the same password on another account.
As a user, you can take many steps to ensure that your accounts and your data are better protected. One of the first priorities is to set up complex, long and unique passwords for every single one of your accounts. Do not reuse your passwords, because this makes you vulnerable to credential stuffing.
As we discussed in The complexity of a password section, it’s actually quite hard to remember truly complex, long and random passwords. Our brains just aren’t meant to remember a jumble of characters, especially when you consider that you probably have dozens of passwords.
These days, the best option is to adopt a password manager like KeePass or BitWarden. When you have a good password manager, all you have to do is remember one long passphrase as a master key to open up the password manager, and the password manager can both generate and store all of your other passwords. The process makes it simple and easy to keep safe.
Just make sure that your master key is complex enough; that you don’t forget your master key; and that you have backups of your database in multiple places. It may be helpful to either put your master key in your safe, or leave it in an envelope with someone you trust with your life.
One of the best tactics for adopting a safe master key is to throw together a few random words. They must be random, not a quote or a sentence, because the latter are far more predictable and easier to crack. A combination like “responding appliance integrate dancer” is a good starting point.
Another essential step for securing your accounts is to adopt two-factor authentication. This provides an extra line of defense that can help to save you if an attacker does manage to get your password. We already talked about SIM swapping, so SMS authentication is a bad idea. Instead, it’s best to go with app-based authentication like Duo, Google Authenticator or Aegis if you like open-source software. If you are really fancy, you can use a physical security token instead.
If you sign up to haveibeenpwned.com, you can get alerts for when your email or phone number has been involved in a data breach that has been reported to the website. This will let you know if you need to change your password.
If you suspect that your password may be compromised for other reasons, or you are notified directly by the service provider, you should also change your password. Apart from these situations, the current best practices no longer suggest that you need to change your password regularly, because regular changes tend to encourage the selection of poor passwords. If you have no reason to suspect your complex password has been compromised, leave it be.
One of the most important considerations for developers is to make sure that they are hashing passwords and not storing them as plaintext. If you don’t hash them, you are leaving your users vulnerable to having their accounts taken over. It doesn’t matter how secure you think your server is, you must be hashing your passwords before storing them, because it’s impossible to completely eliminate the chance of a hacker making their way into your systems.
Next up comes salting, which is a great way to make rainbow table attacks impractical. In short, a random value is added to every password before it is hashed. The effect of this is that the additional data makes the password hash much rarer. If a user has a password like abc123, the addition of the salt changes the hash. Even if the attacker knows the hash for abc123, this gets them nowhere, because the salt has changed the hash into one that is much less frequently used. The result is that rainbow table attacks are unfeasible. A library like bcrypt is one of the easiest and safest ways to implement this type of secure salting.
Another option is to implement a key derivation function like Argon2. Argon2 was the winner of the 2015 Password Hashing Competition. Among its abilities, it can stretch and strengthen passwords, which makes using rainbow tables impractical.
On top of this, developers can set up blacklists that forbid commonly used passwords. They can also stipulate that a set number of characters must be used, the longer the better. NIST no longer recommends frequent password changes unless compromise is suspected, so you don’t have to bother your users every month or two asking them to alter it.
Another important protection mechanism is to require two-factor authentication. This gives your users an extra layer of security, just in case their passwords end up in the hands of attackers. Once again, app or token-based 2FA is best, not SMS authentication.
How likely is it for your password to be cracked?
It’s hard to say exactly, and this will depend on what you consider “cracked”. If you have a complex password, then the chances of brute force or dictionary attacks ever being successful against it are incredibly unlikely. If we are talking about common passwords, or passwords that you use across multiple accounts, it’s not too unlikely that you will eventually become the victim of password spraying or a credential stuffing attack.
If we are talking about things like phishing or shoulder surfing, which don’t involve “cracking” your password, these types of attacks pose an even greater threat if you aren’t always vigilant about your security.
While the risks of having your password cracked or stolen are very real, the methods we mentioned go a long way toward minimizing them. While protection measures can seem boring or even pointless if you have never been attacked, you will certainly learn to appreciate it if your neglect results in a hacker wreaking havoc on your life.