Hackers pose a significant threat to your online accounts by trying to gain access to your account in several ways, including “Password Cracking.” Password cracking involves several computational and non-conventional methods to bypass the password authentication step. However, not all password-cracking tools or techniques are used for negative purposes.
This article discusses the top 11 password-cracking methods hackers use to update you on how each works. Keep reading.
Top 11 password cracking techniques – Quick list
- Malware: Unsuspecting users can download malware revealing their online activities and passwords.
- Phishing: The hacker “phishes” for private information using a disguised email or ad, which, once interacted with, installs password-stealing software.
- Offline cracking: Hackers can take hashed passwords, save and attempt to decipher them offline, which is safer for them.
- Social engineering: This move heavily relies on the user’s day-to-day predictability and capitalizes on common errors they might make.
- Dictionary attack: This method involves cross-referencing your assumed password with others to find a correlation.
- Shoulder surfing: Another social engineering method that involves simply looking over the user’s shoulders as they enter their password, unbeknownst to them.
- Brute force attack: Involves throwing everything at the walls and hoping one sticks. The hacker will continuously try random passwords until it works.
- Spidering: Like a spider’s web, this method involves tracing the user’s interactions and gathering relevant information that might inform the password choice.
- Mask attack: It lessens the work of guessing. The hacker uses a tool that they feed in specific details they know about the password, which works.
- Rainbow table attack: Using previously cracked passwords, the hacker can form a “rainbow table” to better unearth user passwords.
- Guessing: This is the least advanced method of password cracking; all it takes is for the hacker to know just enough to guess the password.
What is password cracking?
In simple terms, password cracking is retrieving passwords from a device or the data it transmits. Password cracking does not necessarily require complicated or high-tech methods. Hackers can easily extract passwords from all possible combinations with simple brute-force attacks.
For example, if your password is stored in plaintext, the hacker can simply hack the database and get all the information they need on your account. Luckily, passwords are no longer saved in plaintext format; they are instead stored as a “hash.” You can obtain the hash version of your password by running the plaintext through a one-way encryption cipher.
At the same time, it is pretty easy to crack hashed passwords. All it would take is a botnet or GPU to quickly try a series of passwords. This is why most password hash functions utilize key stretching algorithms. They are what help to increase the time and the resources it would require to employ a brute force attack.
Hence, you can effectively protect against hackers by utilizing key stretching tools for your password. “Key stretching” or “salting” makes it more inconvenient for hackers to access your password.
Top 11 password cracking techniques used by hackers – Detailed list
Usually, hackers prefer to employ the easiest password-cracking technique at their disposal, and the easiest method is often using social engineering-based methods like phishing.
Humans are arguably the weak links to their password security. Hackers know this and rely on targeting the user’s human error to gain access to their passwords. But if this easy method does not bear fruit, the hacker can opt for a different approach — more complex computational techniques.
Although the general idea is that passwords are the highest form of account security, this only sometimes translates to being the safest. And this is worsened if the users choose a weak password, repeat passwords, or store it as plaintext online. With a password manager, you can better secure your passwords using second-factor authentication such as biometrics.
Now we must talk about the many password-cracking tools and how each exploits a specific human or otherwise flaw in the user’s online activity. Below is what a standard attack looks like:
- The password hashes are extracted.
- The hashes are then prepped for another cracking tool.
- The hacker will then choose a preferred cracking tool.
- The results of the cracking are assessed for success or failure.
- If failure, then the attack is tweaked and run again.
While this is the basic behavior of a password-cracking tool attack, it isn’t the general behavior. Let’s take a closer look now at the top 11 password-cracking attack techniques below.
1. Malware
This password cracking method is often a part of another type of technique known as phishing, which we will expand upon later. It relies on the naivety of the user and is often effective.
Malware, as a password-cracking method, has two common types: screen scrapers and keyloggers. The screen scrapers can effectively take screenshots of your screen as you type and send them to the hackers. At the same time, the keyloggers record your keyboard strokes and send the information to the hackers.
Those may be the most common, but malware password-cracking tools are quite a few. For example, the backdoor trojan can unlock the computer and grant the hacker complete access. These malware are often hidden on “skip ad” or the wrong “download” buttons. Be careful not to click just any icons you see littered across your screen.
2. Phishing
Phishing is considered the most commonly used method of password cracking, and it entails tricking the user into clicking on a link or email attachment containing malware.
This method works by instilling a sense of urgency in the email recipient. The rest is easy once the user believes the email or link is time sensitive. When they click the link, the password-extracting software gets installed, or the user will be redirected to a clone website where their credentials will be stored.
Phishing has different forms, depending on the situation it is required for. The following are some of the common ones:
- Spear phishing: This one targets a specific individual and attempts to collect as many personal details as possible before the attack
- Whaling phishing: In this instance, the hacker targets high-ranking or senior-ranking execs and utilizes company-specific information for the attack. This information can be a letter from a shareholder, a customer inquiry, or a complaint.
- Voice phishing: With voice phishing, the hacker sends a fake message from a financial institution, such as a bank, and asks the user to call a fake helpline to enter private information.
3. Offline cracking
Offline cracking is a “safer” option for hackers. It allows them to take the hashed passwords, go offline, and attempt to crack them more efficiently and, most importantly, “safely.”
The safety here is that online hacking is easily detectable and, thus, preventable. When hackers attempt to crack an account’s password online, they can trigger a lockout owing to too many attempts.
With offline cracking, the hacker is not hampered by visibility or vulnerability and can attempt the log an infinite number of times.
In practice, offline cracking involves taking hashed passwords straight from a database using SQL injection. The next logical outcome is administrator privileges; if the hacker gets this, that’s checkmate. We advise that users learn how to protect their sensitive files and folders.
4. Social engineering
Social engineering is a technique that depends on user gullibility and does not always require sophisticated software or tech.
As technology improves and human naivety as well, social engineering techniques will continue to thrive. For instance, in 2019, hackers could use AI and voice-altering software to successfully impersonate a business owner, effectively fooling a CEO into transferring $243,000.
With technology of such magnitude at our disposal, it is anyone’s guess what the future holds, especially for cybersecurity and security. We fear that scams like the one mentioned earlier might become commonplace.
If users are not careful, these hackers often call to fish for information, engaging them about specific details that might feed the hacking process. The hackers can call it a Google agent or a bank representative, and while this does not require much software, it is surprisingly effective.
5. Dictionary attack
Dictionary attacks fall under the “brute force” techniques and are mostly used with other brute force techniques. It will check if the user password is not a commonly or frequently used phrase like “I love puppies” by running a check via the dictionary. The dictionary will also contain leaked passwords from other accounts to help further narrow down the chances of what the actual password might be.
However, if the users choose strong passwords that are one word instead of phrases, the success of these reduced attacks would be exponential. However, this does not rule out the use of brute force attacks.
We advise using a password generator and manager so your password options are much harder to decode. But if you do not have either, you can use a long phrase containing up to five words.
6. Shoulder surfing
This is a rather elementary form of password cracking. It is also a social engineering technique that relies on human error or vulnerability. With shoulder surfing, the hacker has to spy over the shoulders of unsuspecting users and memorize their login details as they enter. These details include ATM pins, account passwords, and so on.
While it seems a technique limited to close proximity between the victim and the attacker, in practicality, it isn’t. An attacker may even spy on you from a distance, such as via binoculars or video cameras, which also falls under shoulder surfing. That also means you need to remain careful when entering passcodes, passwords, or ATM PINs, even when you are apparently alone.
7. Brute force attack
A brute force attack is a last-ditch effort when all other password-cracking methods have failed. It involves trying every single possible combination till one of them works. This method is often time-consuming without the right information.
But with specific cracking tools, the hacker can reduce the time required to run all the possible combinations. These tools will feed the customer habits or fringe information into the system to further streamline options.
The practice is known as “credential stuffing” and can help hackers retrieve your password much faster.
8. Spidering
Spidering is similar to credential stuffing and an element of the brute-force attack. It involves collecting relevant information about the unsuspecting victim, often a company. The assumption is that the companies would use familiar information in their brand as with their password creation.
Spidering helps create a list the hacker can have that reduces the time to crack the password. Once the hacker, with the aid of the tool, completes the check on the company’s website, its social media, and other related sources, the list should look a little like this:
- Founder name – Jim Parsely
- Founder DOB – 1985 04 13
- Founder’s sister – Rita
- Founder’s other sister – Diana
- Company name – TubeStar
- Headquarters – California, USA
- Company mission – Bring the best-trending videos to users everywhere at the click of a button.
Now all that is left is feeding this information into a robust password-cracking tool, kick back, and see the results.
9. Mask attack
A mask attack is such that it dramatically lessens the workload involved in a brute force attack. It adds a part of the password the hacker may already know. For example, if the hacker can tell how long the password is, say it was nine characters, they can filter their attack parameters.
A mask attack is sophisticated and deadly if you are not adequately protected. The range of attack allows it to filter for specific words, special characters, specific number ranges, and just about any other detail the hacker can think up. If any of the required info is leaked, it can mean a complete breach.
10. Rainbow table attack
The rainbow table attack has almost the same functionality as a mask attack. However, the rainbow table excels at it. In this technique, the hacker has a store of previously cracked passwords along with common passwords. They are arranged in what is known as a rainbow table. This makes the password-cracking process much easier and more effective.
A rainbow table will most likely contain all the possible passwords, meaning the table would be worth hundreds of GBs of data. While bulky, this also means the rainbow table has a fairly inexhaustible supply of passwords for its cracking process. You can protect yourself against such kinds of attacks. However, you need a password management tool for salting and key stretching.
Salting is so effective that if large enough (from 128-bit and above), two users can use the same password but have unique hashes. As a result, anyone attempting to crack either password would have a tough time doing so. With “key stretching,” the function differs, as it aims to increase the time for hashing and greatly reduces the number of times the hacker can attempt to crack within a given period.
11. Guessing
This is the most bare-bones method of password cracking. It is also linked to spidering since it involves some form of data sourcing from established companies. It is such that the attacker may not need any advanced computational methods, just good old guessing.
You must make your passwords harder to guess by switching from lazy, monotonous, pathetic passwords. Below are a few common passwords that are easy to guess and crack:
- 123456789
- Password
- 123456
- 1q2w3e
- 12345678
- 12345
- Qwerty
- qwerty123
- 1234567890
- 111111
As a result, users must use less memorable words and phrases for passwords. These include names of pets, holiday vacation spots, lovers, siblings, etc.
How do Instagram passwords get cracked?
It is notably quite challenging to crack social media account passwords. Or at least that is what is reported. These platforms utilize hashing algorithms to change the users’ passwords into a unique series of random characters. While plaintext is much easier to crack, hashed passwords remain a formidable option.
If your Instagram account gets hacked, the chances that it was a failure on the part of the hashing algorithm are low. Instead, it would result from using plaintext that cracked via brute force or dictionary attack. It could also be from a simple data breach from a different website. This is why you must avoid using the same password on multiple platforms.
Password cracking tools
We have discussed how hackers can crack user passwords; it’s time we talked about the tools that make this possible. Note that this is not meant to encourage you to use these tools for nefarious purposes, only to educate you on their functions, pros, and cons.
1. Cain and Abel
Cain and Abel is a popular password-cracking tool that, unlike most tools, utilizes GUI. It is very user-friendly and available on Windows, unlike the competition. Its ease of utilization and availability on the most popular OS makes it a go-to option for amateurs and enthusiasts.
It is a versatile tool that can execute multiple functions. It can analyze route protocols, record VoIP, scan for wireless networks, act as a packet analyzer, and even retrieve MAC addresses for wireless networks. This tool works great if you already have the hash; the tool will act as either a brute force or dictionary attack option. It can also display the passwords that are hidden behind the asterisks.
2. THC Hydra
As the name suggests, THC Hydra is capable of supporting several protocols. And as such, if one fails, another quickly springs up to try again automatically. It is an open-source network login password-cracking tool that works with the following protocols:
- IMAP
- Oracle SID
- SOCKS5
- SSH
- MySQL
- SMTP
- Cisco AAA
- FTP
- Telnet
- HTTP-Proxy, and much more.
THC Hydra uses a dictionary, brute force attacks, and a word list other tools generate. It has impressive speed, which it owes to its multi-threaded combination testing. It is available on Linux, macOS, and Windows.
3. John the Ripper
John the Ripper is a free-to-use, command-based, open-source application. This password cracker tool supports macOS and Linux and has a third-party app for Android and Windows users known as Hash Suite.
Users of John the Ripper can enjoy access to a host of different cipher and hash types, these include:
- Database servers
- Unix, macOS, and Windows user passwords
- Encrypted private keys
- Web applications
- Documents
- Disks and filesystems
- Network traffic captures
- Archives
You can also access more OS options and hash types in the pro version. The pro version comes with native packages and extra features.
4. Hashcat
This tool is hailed as the world’s fastest password cracker; Hashcat is free-to-use and open-source software available on Linux, macOS, and Windows. It also employs several techniques ranging from brute-force attacks to hybrid masks with accompanying word lists.
Hashcat utilizes GPU and CPU and is capable of using them at the same time. The versatility and multi-tasking ability make it a formidable and fast tool. But its true standout feature is that it can decipher ChaCha20, 1Password, MD5, KeePass, Kerberos 5, SHA3-512, LastPass, PBKDF2, and many more. In total, it supports over 300 different hash types.
5. Ophcrack
Ophcrack is another open-source, free-to-use password-cracking tool ideally suited for rainbow table attacks. How it functions is that it cracks NTLM and LM hashes. LM addresses Windows XP and earlier, while NTLM addresses Windows Vista and 7.
NTLM is available to some extent on FreeBSD and Linux. LM and NTLM are insecure and easy to crack, often taking under 3 hours. To begin the cracking process, however, you need to acquire the hash first, and to do so; you need several different tools, including:
- Wireshark: Wireshark allows you to execute packet sniffing. The award-winning packet analyzer is used not just by hackers but also by business and governmental institutions.
- Mimikatz: Also known as a password audit and recovery app, Mimikatz also works optimally for malign hash retrieval. We can add that it could extract plaintext passwords or PIN codes.
- Metasploit: This popular penetration testing framework is designed for security professionals. Hackers can also use Metasploit to retrieve password hashes.
What is a hashing algorithm?
A hashing algorithm is uni-directional encryption that converts plaintext passwords into a series of numbers, special characters, and letters. The hashing algorithm encryption is practically impossible to undo or reverse, but hackers could retrieve the original plaintext with password-cracking software.
Fortunately, as hackers continue mastering the art of cracking hashing algorithms, more advanced hashes will be created to combat them. Some password hashing algorithms, which are now considered obsolete, include:
- SHA (Secure Hashing Algorithm)
- MD5 (Message Digest Algorithm 5)
One of the robust password-hashing algorithms today is BCRYPT.
How to create a strong password
Regardless of your password manager or memory, you must create a good password to prevent unwanted circumstances. To come up with a strong enough password, we recommend you use the following as a guide:
- Length: The length of your password is the most essential factor. It should not be too short.
- Letter and character combination: The more the combination you employ, the more complex your hash phrase will be, which in turn means it will be harder to crack.
- Do not re-use: No matter how strong your password is, using it again when you change passwords can still leave you vulnerable.
- Make it hard: Do not use any word or phrase that can be easily associated with you in any way. No pets, no lovers, no siblings, none.
Is password cracking illegal?
This isn’t a straightforward question, nor does it have a clear-cut answer. The password cracking tools are considered completely legal, as they can be used to test the vulnerability of your account or even help you recover a lost password. It can also aid law enforcement in retrieving passwords and gaining access to vital information in criminal cases.
However, in the hands of hackers, a password-cracking tool is used for evil. The hacker wishes to gain unauthorized access to your private data to steal, damage, or misuse said data. If caught, the hacker can be prosecuted and sentenced or fined.
Therefore, it is entirely illegal if the password-cracking tool is not used for authorized activity.
FAQs
Using lengthy, complicated passwords with unique combinations is the hardest to crack. But they can be challenging to remember, so to keep them safe, use a password manager.
The main distinction between hackers and crackers is in their intention. Hackers hack with good intentions to beef up security and safeguard your data. At the same time, crackers intend to break or violate the system for illegal activity.