What Is Password Cracking?

Date First Published: 12th November 2023

Topic: Cybersecurity

Subtopic: Threats To Systems, Data & Information

Article Type: Computer Terms & Definitions

Difficulty: Medium

Difficulty Level: 6/10

CONTENTS

How Long Does It Take To Crack A Password?
Why Is Password Cracking Done?
Examples Of Password Cracking

Learn about what password cracking is in this article.

Password cracking is the process of attempting to discover the correct passwords stored on a computer or a network. This is usually accomplished by guessing the password using an algorithm that enters password combinations until the correct password is discovered (brute-force attack). More common methods of password cracking, such as dictionary attacks, pattern checking, and word list substitution try to reduce the number of attempts required.

How Long Does It Take To Crack A Password?

The time it takes to crack a password depends on:

The amount of information that is already known about the password. For example, if an attacker already knows some information about the user, like their first name, they might try combinations of that name as there is a chance that their password contains their first name.
The complexity of the password. The stronger the password, the harder it is to crack.
The cryptographic function used by the system to generate password hashes.
The number of possible passwords per second which can be checked. This will depend on the system resources, such as CPU and RAM as well as the algorithm used to crack the password.
Whether there are limits for failed password attempts or CAPTCHAs after some failed attempts.

Even a simple password can take several days to crack, so this method of discovering passwords is usually very time-consuming.

Why Is Password Cracking Done?

Password cracking is most commonly done for malicious purposes, like gaining unauthorised access to a system or electronic account to steal sensitive information for identity theft and fraud. However, not all password cracking is malicious. A non-malicious form of password cracking can be done when a user has forgotten their password and is trying to recover it. Sometimes, system administrators might perform tests on password strength as a form of security to check that attackers cannot easily access accounts and systems.

To prevent passwords from being cracked by unauthorised users, choosing strong passwords is recommended. An extra layer of security, like two-factor authentication is recommended so that even if the password was successfully cracked, the attacker would not be able to gain access.

Examples Of Password Cracking

A major password breach at Rockyou.com in December 2009 resulted in the release of 32 million passwords. Afterwards, the hacker exposed the complete list of 32 million passwords to the internet with no other identifiable information. Passwords were stored in plaintext and were extracted from the database using an SQL injection vulnerability.

A group calling itself "The Impact Team" stole Ashley Madison's user data in July 2015. Both the weaker MD5 hash and the more secure bcrypt method were used to hash a large number of passwords. Password cracking group CynoSure Prime was able to recover around 11 million plaintext passwords by exploiting the most recent algorithm.