Most people imagine a hacker sitting at a keyboard, manually typing guesses into a login box. The reality is far more mechanical. Modern password cracking is fully automated, runs at staggering speeds, and relies on years of leaked password data to make smarter guesses before it has to resort to exhaustive searching.
This article breaks down each major technique — what it is, how fast it operates, and which types of passwords it defeats fastest. By the end, the crack-time estimates shown in a tool like our Password Strength Analyzer will make a lot more sense.
Step zero: how attackers get password hashes in the first place
Before any cracking begins, the attacker needs something to crack. Websites rarely store passwords in plain text — they store a cryptographic hash. Cracking is the process of figuring out which original password produced a given hash.
Hashes end up in attacker hands through several routes:
- Data breaches: A company's database is exposed. Billions of hashed credentials from breaches at LinkedIn, RockYou, Adobe, Yahoo, and hundreds of others are now freely circulating on the internet.
- Phishing and malware: Some attacks capture plain-text passwords directly, before hashing even enters the picture — for example, a fake login page or a keylogger on the victim's device.
- Network interception: On poorly secured networks or with outdated protocols, password data can be captured in transit.
Why offline cracking is so dangerous
Once an attacker has the hash file, they crack passwords entirely on their own hardware — no login lockouts, no CAPTCHA, no rate limits. They can run billions of guesses per second without any interaction with the target service. This is why the offline scenarios in crack-time estimates are so much faster than the online scenario.
Brute force attacks
A brute force attack tries every possible combination of characters in sequence. Starting with "a", then "b", through "z", then "aa", "ab", and so on until every combination up to a given length has been tested.
The number of combinations grows exponentially with password length and character variety. A 6-character lowercase password has 26^6 = ~309 million combinations. A 10-character password using lowercase, uppercase, digits, and symbols has 95^10 = ~59 quadrillion combinations.
| Password length | Character set | Combinations | At 1 trillion/sec |
|---|---|---|---|
| 6 characters | Lowercase only | ~309 million | Instant |
| 8 characters | Lower + upper + digits | ~218 trillion | ~3.6 minutes |
| 10 characters | Lower + upper + digits | ~839 quadrillion | ~9.7 days |
| 12 characters | All printable ASCII | ~4.7 x 10^23 | ~15 million years |
Pure brute force is the method of last resort. It guarantees finding a password eventually but becomes computationally impractical above roughly 10-12 characters. Smarter methods are always tried first.
Dictionary attacks
Rather than trying every combination, a dictionary attack works from a list of words, phrases, and known passwords. The most important dictionary in use today is rockyou.txt — a list of 14 million real passwords leaked from the RockYou breach in 2009. It remains the starting point for almost every password cracking session because real humans keep choosing the same passwords.
Beyond rockyou.txt, attackers draw on:
- Language wordlists: Every word in the English dictionary (and many other languages), proper names, places, sports teams, pet names, and pop culture references.
- Compiled breach lists: Passwords extracted from hundreds of public data breaches — over 10 billion unique credentials are now in circulation.
- Target-specific wordlists: If an attacker knows something about the target (a company name, a birthday, a pet's name from social media), they build a custom list tailored to that person.
The uncomfortable truth about common passwords
Analysis of the RockYou breach found that nearly 50% of users chose passwords from names, dictionary words, or trivial patterns. The single most common password was "123456". Dictionary attacks exploit this predictability and can crack a huge share of real-world passwords in seconds — before any brute force is attempted.
Hybrid and rule-based attacks
People who know simple dictionary words are "weak" often try to strengthen them — adding a number at the end, capitalizing the first letter, or substituting letters with similar-looking symbols. Attackers know this too. Rule-based attacks apply thousands of transformation patterns to every word in a dictionary automatically.
Common rules tested against every dictionary word include:
- Capitalize the first letter:
Password - Append digits 0-9 or years:
password1,password2024 - Common letter-to-symbol substitutions:
p@ssw0rd - Append common suffixes:
password!,password#1 - Doubling the word:
passwordpassword - Reversing the word:
drowssap - Combining two words:
sunflowerblue
Tools like Hashcat — the most widely used password cracking tool — ship with hundreds of built-in rules and allow custom rule creation. A single dictionary of 10 million words, combined with a modest rule set of 1,000 transformations, produces 10 billion candidates to try. At GPU speeds, that takes minutes.
Why "P@ssw0rd" is not strong
Leet-speak substitutions (@ for a, 0 for o, 3 for e) are among the first transformations applied in any rule-based attack. A password that would take years to brute force might be cracked in seconds if it matches a known word plus a common transformation. Complexity theater — adding symbols and numbers predictably — does not meaningfully raise security.
Credential stuffing
Credential stuffing is technically different from cracking — it does not break a hash. Instead, it takes username-and-password pairs confirmed to work from a previous breach and tries them against other services. It exploits the single most dangerous habit in password security: reuse.
If you used the same password for a gaming forum in 2014 and for your email today, and that forum was breached, your email is now at risk — even if your email provider has perfect security. Automated tools retry full credential pairs against thousands of websites simultaneously. Detection is hard because each attempt uses valid credentials.
Credential stuffing at scale
Industry estimates consistently find that credential stuffing accounts for a significant portion of account takeover incidents. With over 10 billion unique credential pairs in circulation from past breaches, attackers have a massive ready-made starting point. Unique passwords for every account — enforced through a password manager — is the only effective defense.
Rainbow tables and why salts matter
A rainbow table is a precomputed lookup table mapping password hashes back to their original passwords. Instead of computing hashes during an attack, an attacker simply looks up the captured hash in the table for an instant result. For a simple hash like MD5, rainbow tables covering all passwords up to 8 characters can fit on a single external hard drive.
The defense is a salt — a random value unique to each user that is mixed into the password before hashing. Because every user has a different salt, a precomputed table built on unsalted hashes becomes useless. Salted hashes force the attacker to start from scratch for each target.
| Hashing approach | Salted? | Speed on GPU cluster | Rainbow table usable? |
|---|---|---|---|
| MD5 (unsalted) | No | 100+ billion/sec | Yes — instant lookup |
| SHA-1 (unsalted) | No | ~7 billion/sec | Yes |
| bcrypt (salted) | Yes | ~100,000/sec | No |
| Argon2 (salted) | Yes | Tens of thousands/sec | No |
Modern best-practice algorithms like bcrypt, scrypt, and Argon2 are intentionally slow and memory-intensive. Argon2 won the Password Hashing Competition in 2015 and is NIST-recommended. The deliberate slowness means even a dedicated GPU cluster tests only tens of thousands of candidates per second — compared to hundreds of billions for a naive hash — buying enormous time for a defender.
How fast is fast? The GPU reality
GPUs are designed for massive parallelism — exactly what password cracking needs. A single modern high-end GPU can test hundreds of millions to billions of hash candidates per second, depending on the algorithm. A cluster of 25 GPUs achieved 350 billion NTLM guesses per second as far back as 2012. Current GPU hardware is significantly more powerful.
To make this concrete, our Password Strength Analyzer models four distinct attack scenarios when calculating crack times:
Online attack (~1,000 guesses per second)
Rate-limited login pages where lockouts, CAPTCHAs, and delays apply. This is your protection on live services — but it is useless once hashes are stolen.
Offline with slow hash / bcrypt (~100 million guesses per second)
Attacker has the hash file but the site used a modern slow algorithm. Still orders of magnitude faster than online attacks.
Offline with fast hash / MD5/NTLM (~1 billion guesses per second)
Attacker has hashes from a system that used a naive fast hash. This is the scenario behind most publicly reported breach cracks.
GPU cluster (~1 trillion guesses per second)
A dedicated multi-GPU rig or cloud-based cracking cluster. This is what a well-resourced, targeted attacker can deploy in hours using commodity cloud computing.
At 1 trillion guesses per second against a fast hash, an 8-character password mixing all character types falls in under 6 hours. A 12-character password with the same variety would take millions of years under the same conditions. Length matters more than complexity. Each additional character multiplies the search space by the size of your character set.
What actually stops crackers
Understanding the attack methods makes the effective defenses obvious.
Length above all else
Every additional character you add multiplies the number of combinations an attacker must try. A 16-character password built from random words is computationally out of reach even for well-resourced attackers under any realistic scenario. Aim for at least 12-16 characters for important accounts, and longer for your password manager master password.
True randomness, not predictable patterns
Rule-based attacks defeat predictable patterns. "Replacing" an 'a' with '@' or adding '1' at the end does not defeat any modern dictionary-plus-rules attack. Genuinely random passwords — or random passphrases — have no structure for rule-based analysis to exploit.
A unique password for every account
Credential stuffing attacks are entirely defeated by uniqueness. If your password for one site is leaked and every other password is different, the leaked credential is useless elsewhere. A password manager makes unique random passwords practical — you only need to remember one strong master password.
Two-factor authentication as the last line
Even a cracked password cannot access an account protected with a hardware security key or authenticator app. 2FA means a stolen or cracked password alone is not enough to cause harm. For critical accounts, consider 2FA non-negotiable regardless of how strong your password is.
Your cracking-resistant password checklist
- At least 12 characters — 16+ for important accounts
- Generated randomly (by a password manager or dice-based passphrase)
- Never used before, unique to this one account
- Does not contain your name, date of birth, or any personal information
- Protected by 2FA on any account that supports it
Conclusion
Password cracking is not a mystery. It is an assembly line — attackers start with known passwords from breach lists, apply thousands of transformation rules, and only resort to full brute force as a last step. The attack scenarios your password faces are well-understood, and so are the defenses.
Length and randomness together make brute force impractical. Uniqueness defeats credential stuffing. Two-factor authentication covers the gap when a password is compromised. None of these habits are inconvenient when combined with a good password manager.
See how your password holds up against all four attack scenarios. Our free analyzer calculates crack times for online attacks, offline fast and slow hashes, GPU clusters, and quantum threat levels — instantly, with no data sent to any server. Open Password Analyzer
