A Deep Dive into Password Cracking Techniques

When it comes to securing almost anything in this digital age, passwords are often the first, and sometimes only, line of defense. Yet despite the ubiquity of passwords, password security related to user authentication remains one of the weakest links in the security chain. Attackers have developed increasingly sophisticated techniques to crack passwords through exploiting both technological vulnerabilities and human behavior.

After several successful years as a professional penetration tester, I have come to find that nine times out of ten, I gain an initial foothold into an environment due to a weak password. Analyzing global trends associated with reported breaches over the past decade, roughly 40-60% of breaches involved stolen or reused credentials with a 72% jump in the past two years. A 2025 Verizon study found that 88% of breaches in web applications involved stolen credentials due to weak or reused passwords.

In part 1 of this two-part blog series, we will explore common techniques and highlight the weaknesses that allow these attacks to succeed at such an alarming rate. I invite you to join me on this journey into the technical core of password cracking.

Why Does Password Security Matter?

The first question most people tend to ask is “why does password security matter?” At the end of the day, a password is just one form of account protection, right? How important can it really be?

The truth of the matter is that within an internal environment, a password is often the only thing securing both standard and privileged user accounts. This makes passwords not only a viable target, but the preferred one. A malicious actor gaining access to a low-privileged user is bad enough. If that same threat actor gains access to a high-privileged user account (such as a domain administrator in an Active Directory environment), they can cripple the entire organization. A single compromised password can let them deploy ransomware across the environment, reset all user account passwords, crash domain controllers, and even delete key files and objects required for normal business operations. The result? Hundreds of thousands, and sometimes even millions of dollars in lost revenue  – all from something as simple as a weak password.

Addressing Weak Passwords

While the thought of this type of loss can be overwhelming, let’s explore what we can do to prevent something like this from happening. We will go into greater detail on this topic in part 2 of this blog series, including password security remedies such as block-lists, password managers, and even testing your user’s password strength with a credential audit assessment from a skilled GuidePoint Security consultant.

More often than not, only a user knows their passwords. Something like a Credential Audit assessment will allow you to have a bigger picture of the patterns used by employees, as well as the overall strength of password usage within your organization. At the end of the day, you are only as strong as your weakest link.

First, Understand Password Storage

Before diving into cracking methods that undermine password security, you must first understand how systems typically store passwords. Below are some common storage methods found in both personal and professional environments today.

• Plaintext: The system saves passwords exactly as users enter them, with no encryption. This is rare and a clear sign of poor security.
• Hashed: Cryptographic hash function (e.g., SHA-256, bcrypt) obfuscate clear-text passwords prior to storage.
• Salted Hashes: Each password gets a random string (salt) added before hashing to thwart precomputed attacks like rainbow tables.

• Key-Stretching Algorithms: Functions like bcrypt, scrypt, and Argon2 increase computational cost to slow down brute-force attacks.

Organizations store passwords in many ways, but for the remainder of this blog, we will focus on the most common method: NT-hashes. Windows networks use the NTLM (New Technology LAN Manager) authentication protocol with NT-hashes to authenticate users. Even though Kerberos has superseded this protocol, most environments still allow NTLM authentications as a primary method, or at the very least as a fall back to support backwards compatibility.

Core Password Cracking Techniques

Rainbow Table Attack

Rainbow tables consist of precomputed tables of hashes for known passwords. While efficient, rainbow attacks require a large amount of disk space. Salting also easily defeats these attacks. This is a common choice, however, for attacks against NT-Hash passwords due to the lack of a salt within the hash. Essentially, when encrypting the password Welcome1 with the NT-hash algorithm, it will always become the following NT-Hash: CF3A5525EE9414229E66279623ED5C58.

Since we know that each password will always equate to the same hash, searching a precomputed table of hashes uncovers passwords associated with provided hash values. While this sounds like a fool-proof solution to crack all NTLM hashes, the major limitations with this technique revolve around the space needed to store the tables since each password will have its own hash. This technique has been proven viable for nine-character passwords and less. The size needed to store all possible eight-character passwords is roughly 486 GB and all possible nine-character passwords is roughly 6.7 TB. However, once you reach ten characters the time-memory trade off becomes too high to make this a viable attack.

Hashcat does not support rainbow tables directly; tools such as OphCrack or Rainbow Crackalack enable these techniques.

As we continue diving into additional tactics, I want to take a moment to explain a few of the common Hashcat parameters that you will see throughout the example commands:

• -m 1000:  -m is for the hashing mode selection in Hashcat and “1000” is for NTLM hashes (used in Windows)
• hashes.txt: This is the file where the NTLM hash to be cracked is stored.

• wordlist.txt: This is the wordlist used to iterate through to crack the password

Brute Force Attack

A brute force attack systematically attempts every possible combination of characters until finding the correct one. Below is a common Hashcat example to brute-force passwords that are 7 characters. This pattern covers all 95 printable ASCII characters found on all standard English keyboards.

# hashcat -m 1000 -a 3 hashes.txt ?a?a?a?a?a?a?a

Let’s examine this command:

• -a 3: -a is the attack mode selection and 3 is for the Mask attack mode (which we will brute-force all characters)

• ?a?a?a?a?a?a?a: Mask pattern to attempt all 7-character combinations.

An example of a password that would fit this password scheme is ApPl3s!. While it may look secure since it meets common password complexity requirements with upper-case and lower-case letters, a number, and a special symbol, this is still a weak password due to the length.

With current password-cracking capabilities and an AWS account, you can spin up a cloud device and crack all 7-character passwords in roughly fifteen minutes. Using a single instance, this attack costs only about six dollars to run. To further illustrate the point of password length, several organizations still to this day only require 8-character minimum length for a password. Using the same single AWS device, your could crack every potential 8-character password in just over 23 hours, or less than one full day.

Dictionary Attacks

While brute-forcing attacks will crack the password 100% of the time, they are only effective for shorter passwords. Once the password length is at least nine characters long, the efficacy of this type of attack degrades.  It takes over three months to iterate through all possible character combinations.  At 10-characters it becomes even more unreasonable, with a cracking time of roughly 23 years and 7 months using the single AWS device. And that’s not to mention that the key space causes an integer overflow error due to the sheer size.

Longer passwords are where the dictionary attack begins to show promise.  A dictionary attack uses a list of common words or previously leaked passwords to test against hashed passwords. Below is an example of a dictionary attack:

# hashcat -m 1000 -a 0 hashes.txt wordlist.txt

• -a 0: -a is the attack mode selection and 0 is for the straight mode

This attack is highly effective against users who choose predictable passwords. Because the attack doesn’t rely on brute force methods, it greatly simplifies the attack and shortens the time to crack the password.. An example of a password that would fall victim to this attack would be Password1 or Welcome123. Dictionary attacks are extremely successful against simplistic, reused passwords and default passwords on factory-set devices. Strong password security, including password rotation and complexity policies prove effective against dictionary attacks.

Hybrid Attacks

Now is where things get interesting. Hybrid attacks combine the efficiency of dictionary attacks with the breadth of brute force by appending or prepending characters to words.

# hashcat -m 1000 -a 6 hashes.txt wordlist.txt ?d?d

• -a 6: -a is the attack mode selection and 6 is for the Dictionary + Mask attack mode

• ?d?d: Appends two digits to each word (e.g., password would become password01)

This type of attack targets passwords like welcome12, summer25 and comes in handy when you identify organizational patterns, such as the use of common words like the company name or a season.

Rules-based Attacks

Rules-based attacks are one of the most used and successful techniques. They leverage transformation rules to mutate dictionary words and mimic human password creation habits.

# hashcat -m 0 -a 0 -r rules/best64.rule hashes.txt wordlist.txt

• -a 0: -a is the attack mode selection and 0 is for the straight attack mode

• -r rules/best64.rule: -r specifies a rule list and rules/best64.rule is the rule file used

This technique helps model real-world password creation habits in an automated way. By combining a solid wordlist with a great ruleset, I’ve used this technique to successfully crack many passwords throughout my career. This is my go-to technique and normally nets around 40-50% of an organization’s passwords cracked in roughly twenty-five minutes. I have personally created and fine-tuned my wordlist and ruleset over my career to achieve these numbers. And remember: if an ethical hacker is having this kind of success, so are the adversaries that we’re fighting against!

Mask Attack

A mask attack is a powerful technique used to crack passwords based on a pattern or structure. Unlike brute-force attacks, which try every possible combination of characters, a mask attack narrows down the possibilities by defining specific character sets for each position in the password. Let’s look at a mask attack example below:

# hashcat -m 1000 -a 3 hashes.txt ?a?l?l?l?l?l?l?d?s

• -a 3: -a is the attack mode selection and 3 is for the Mask attack mode
• ?a?l?l?l?l?l?l?d?s : This is the mask which will crack any 9-character passwords that fit this pattern. Let’s break down this pattern further into its subcomponents
• ?a – All 95 printable ASCII characters
• ?l – All lower-case letters a-z
• ?d – All digits 0-9?s – All special characters such as ! or @

This will crack all passwords that align with this pattern such as Passwor4! or *apples7%.

A mask attack draws its power from the ability to save it in a file and run a series of patterns sequentially. This method proves useful when you know multiple password structures or when you work with a set of probable patterns for cracking. Hashcat will apply each mask in the file one by one, increasing the chances of cracking the password by efficiently testing various patterns. This technique also helps automate and organize the cracking process.

Mask attacks come in handy when analyzing previously-cracked passwords. Attackers create masks based on identified patters to see if any other users fall into the same password schema. This is where the human element of patterns comes into play, and weaknesses emerge due to similar password choices amongst co-workers.

Conclusion

In our second part of this two-part blog series, we will  dive into the dark side of passwords a little further as we analyze the human factor. We’ll also give guidance on bolstering your password security to prevent password hacking, and we’ll provide actionable steps you can take to safeguard your organization.

In the meantime, feel free to download our latest look into the state of Identity and Access Management to get an in-depth view of the impact of identity-based threats. 

Download now >