Password Cracking Is Easy: Here’s How to Do It

For less than $50, someone can crack the average password.

Cracking a majority of passwords can be easier than you think. By the time you’re done with this article, you’ll know how it’s done, and will probably have all the knowledge and tools you need to crack passwords yourself (I’m not saying this as a way to encourage you to try, but rather as a warning to highlight the importance of using a strong password because of just how simple it can be to crack an easy one).

A computer that can crack an 8-character password in 4.2 hours would need 5.7 trillion years to crack a 16-character one.

When it comes to preserving your privacy and identity on the Internet, passwords are the most common for protection. It’s so common that most of us take its importance for granted. Every website we visit, every service we sign up for, requires a password as a form of identity verification.

But few people take passwords seriously; as a result, many of the Internet’s passwords are 8 characters and hashed with MD5 (if you don’t know what that means, don’t worry, I’ll go into detail about it in this article), which can be cracked by someone who wants to spend $50 on some hardware. With such a threat to your current or future self, it’s time to take password creation more seriously.

Brute Forcing Passwords

Brute-forcing, put simply, is a method for password cracking where the attacker attempts to try as many different possible password combinations as possible, based on a set of parameters. For example, a parameter could be set by a website where the password must be between 8–16 characters. In the simplest model, the password cracker may begin by trying 00000000. Then it may try 00000001, 00000010, 00000100, and so on and so forth until it has tried every possible combination of allowable characters.

That’s a lot of combination of characters. The graph below illustrates the most common password lengths based on an analysis of over 320 passwords.

Source: Statista — From an analysis of 320 million hashed passwords

The favorable length is 8: _ _ _ _ _ _ _ _. Each field can be:

  1. a lowercase alphabet (26 possibilities)
  2. an uppercase alphabet (26 possibilities)
  3. a number (10 possibilities 0 through 9)
  4. punctuation marks or other special characters (33 possibilities)

This great answer on Stack Overflow breaks down all the math behind calculating the final number, which represents the total possibilities that the 8-character password can be: 3,025,989,069,143,040 or approximately 3 quadrillion, and each one is a separate attempt.

Brute forcing an 8-character password in the most basic way may require 3 quadrillion attempts.

How Brute Forcing Works

You might be imagining in your head: someone wrote a program that goes a website you frequent, types in your username, types in a password attempt, and hits the login button. Then it does this 3 quadrillion more times.

No, that’s not how it works. Assuming that a website takes 2 seconds to load a page, then that’s 2 seconds of wait time to get a “password incorrect” page for each try. In other words, it would up to 9 quadrillion seconds, or 287.9 million years — assuming that the website doesn’t lock the username after a certain number of suspicious attempts.

In reality, what happens is that your username and your password are exposed from a data breach (which happens more often than you think). The password being exposed can happen in two ways:

  1. In a very insecure scenario, your password is not hashed, and it is stored in plaintext. No reader would need to do anything but copy and paste your password. For example, if your password is password1 then it would show up as password1 for anyone viewing the contents of the data breach. Brute forcing isn’t needed in this scenario because the website already handed over your information on a silver platter.
  2. In a more secure scenario, your password is hashed, and is not stored in plaintext. For example, if your password is password1, it would show up as 0b14d501a594442a01c6859541bcb3e8164d183d32937b851835442f69d5c94e if the website hashed your password using a SHA-256 hash function.

If you don’t know what hashing is, I go into it in more detail in the section below. If you’re familiar with it, you can skip it and continue reading from the section How Brute Forcing Works (Continued) to continue reading from where this section left off.

A Briefer on Hashing

Here’s what hashing is on a basic level: it’s a process where you take any combination and length of characters (numbers, letters, special characters) and it gets transformed into a unique, unintelligible pattern of a specified number of characters and numbers. You can try a SHA-256 hash generator on this website. Try a few things:

  • type in the same word in all lowercase and all uppercase. You’ll notice that the hash is different. That’s because hashes are case-sensitive.
  • type in a bunch of random characters as quickly as possible. You’ll see that the hash is updated in virtually real-time (indistinguishable to the human eye). That’s because an effective hash function must be fast; it’s something that should happen in the background and not affect what people are doing.
  • type in a word (remember, it’s case sensitive), delete it, and then type it in again. You’ll notice that the hash is the same both times. That’s because the hash is unique to your word, and each hash is unique to each combination of characters. No two character combinations will have the same hash.
  • type in a word, copy the resulting hash, and paste that hash into the word box. You’ll see that a new hash is generated. That’s because you can’t “unhash” a hash. It’s a one-way road, so someone with a hash will not be able to figure out the original content except through guessing.
  • the link you clicked on has the hashing algorithm set to SHA-256. Click on MD5 (under the Hash section on the right side of the website) and type in the same word. You’ll notice that the MD5 hash result is shorter than the SHA-256 hash result. That’s because SHA-256 has 256 bits, while MD5 has 128 bits.

Different hashing algorithms can be applied for different use cases. For example, hashing with MD5 is faster than hashing with SHA-256, but SHA-256 is more secure. Even SHA-256 may not be secure enough, and you may have to choose another hash function. Eventually, the most secure one will not be secure, either. That’s because with faster CPUs and GPUs (or ASICs, or even quantum computers in the future), the hash becomes easier to crack.

The speed at which a password can be cracked is also impacted by the difficulty of the algorithm. Therefore, a password hashed under SHA-256 may be safer than a password hashed under MD5.

Unfortunately, a lot of the Internet isn’t even up to the SHA-256 standard yet. An article published by ZDNet in mid-2019 claimed that 25% of major CMS’s still use MD5 hashing. For those unfamiliar, a CMS is a Content Management System, and it is what a majority of websites use to run and manage their entire frontend and backend. Popular ones include WordPress and SugarCRM. To give you a sense of their popularity, a study published by W3Techs in 2018 claimed that 30% of the Internet’s websites are powered by WordPress, and WordPress is one of the CMSs that use MD5 hashing for password storage.

While an MD5 hashed password storage is better than storing passwords in plaintext, it isn’t much better. It’s choosing between living on the side of a road, or living on the side of a road with a tent. Benchmarks on a rig with 8 NVIDIA 1080ti graphics card shows Hashcat running 200 giga-hashes per second, which means it is iterating through 200,000,000,000 MD5 hashes per second, or 720 trillion MD5 hashes per hour. If you recall the hashing link I let you play with earlier, you can just think of a computer doing exactly what you were doing — typing in words and seeing what the hashes are — except at a much more rapid rate. Referring back to the 3 quadrillion combinations, that means that the 8-GPU rig could crack a password in 4.2 hours or less.

How Brute Forcing Works (Continued)

After they obtain the information from the data breach, the hacker can start the hack. For a very simple example of what the contents of a data breach may look like, take a look at this Pastebin I found by just Googling “Pastebin md5 hash.” The password is in the form of an MD5 hash, separated from the email by a colon.

Source: Pastebin (I have put in censors to preserve the privacy of these accounts in the screenshot, but the Pastebin contains the full text.

From here, the hacker needs two things:

  1. A program that will automatically try out different combinations of characters and compare the results with the hashes from the list to figure out the passwords.
  2. Hardware that will be both fast and economical enough for the hacker to crack the passwords in a short amount of time without spending so much money that it makes it economically illogical for him or her to even attempt to crack the password.

The first part is pretty easy. There are free, open source tools out there that do exactly as requested, such as Hashcat or John the Ripper. The second part, obtaining the hardware, may sound more complicated, but with cloud services, those parts can be sourced quickly and cheaply.

If you recall from the last paragraph in the A Briefer on Hashing section above, I talked about how an 8-GPU rig can crack an 8-character, MD5 hash password within 4 hours by just random guessing. On the one hand, 8 1080ti GPUs sounds expensive, especially since those graphics cards are fairly high-end. On the other hand, with cloud computing, you can rent out the GPUs by the hour and for a significantly lower cost.

For example, on Amazon AWS, you can get a p3.2xlarge instance, which is a machine that contains a very powerful GPU, for $3.06 per hour. Eight of those would cost $24.48, and running them for 5 hours would cost $122.40. Give it a bit more wiggle room and round up to $150. This is a very basic estimate, only based on standard pricing; alternative ways of obtaining the resources can be even cheaper. For example, using AWS Spot Pricing, you can reduce the price of the p3.2xlarge from the original $3.06 to $1.04, which reduces the cost of obtaining the same password from $122.40 down to just $41.60. For less than $50, someone can crack the average password using open source tools that facilitate the password-guessing process. But it gets even easier due to the predictability of passwords.

Predictable Passwords Give Method to the Madness

From the microcosm that is our everyday lives, we think that we are somehow unique, and everything we do and create is unique. Unfortunately, that’s not true, at least not when it comes to passwords. Human-created passwords are embarrassingly predictable because our brains aren’t built like computer chips, and data storage/recall is easier if it isn’t random. Maybe that’s what makes us different from AI — we are less impressive when it comes to memory and processing.

Source: Unmasked — What 10 million passwords reveal about the people who choose them

A while back, WordPress Engine published an article on password security based on an analysis of over 10 million leaked passwords. The most common password in that study was 123456. That was followed by password, 12345678, qwerty, 123456789, and 12345. While the article did not have a publication date, the password types hint that it might be a bit outdated; nowadays, passwords require certain combinations of letters, numbers, and sometimes even symbols.

That being said, the patterns of the top 6 most-used passwords are alarming. 4 out of the total six are just a sequence of numbers, one of those is literally the word password, and qwerty is just moving your fingers across the keyboard. Figure 1 shows the most common numbers that end a password; 1 ranks first by a longshot, taking up 23.84% of the total times a password ends in a number. As the smartest species on the planet, it’s true that great minds think alike — all our passwords are basically the same! Even former U.S. President Barack Obama admitted to using passwords like 1234567 and password.

With this predictability in mind, it makes the process of brute-forcing a password easier because a hacker can now go through permutations of the most common passwords. In fact, brute-forcing the most common passwords is extremely easy because the hashes of those passwords are likely already stored somewhere — either locally or in some Pastebin somewhere. With that information, brute-forcing isn’t even necessary. The hacker just needs to CTRL+F and see if any of the hashes from the list of compromised accounts matches the hashes he or she already has. If you recall, a hash is unique, which means that any matches are already revealed passwords.

Different permutations of passwords can also be prioritized. For example, before going into a full-on brute-force of random characters, a hacker may want to try out different combinations of the word password plus some numbers. Maybe 0–999. So it would look like password_ _ _.

Improve Your Password Security

At the very least, increase the length of your password. If you’re using 8 characters, there are 3 quadrillion possible combinations that make up your password. By adding just 1 extra character, you increase that number by almost 100x, which means that someone would need 100x more resources in order to justify cracking a password. At 16 characters, it’s 36,079,602,200,334,571,635,466,603,985,857 possible combinations. I don’t even know what to call that number, but relationally, it’s 11.9 quadrillion times stronger than an 8-character password. That would take an 8-GPU rig up to 5.7 trillion years to crack, compared to 4.2 hours with an 8-character password.

Use Two-Factor (2FA) Authentication

Two-factor authentication is great for reasons that go beyond account protection; in the event that someone obtains your password, that person still cannot access your account without also inputting a secondary password. Ideally, you should use a 2FA service like Google Authenticator or Authy, which works very differently from text-message 2FA. Without going into too much detail, the fact is that text-message 2FA is a weak, vulnerable method because chances are that leaked data breaches will not only contain username/email/password information but likely phone numbers, too. With that information, hackers can obtain text-message 2FAs that should otherwise be going to your phone.

Use a Password Manager

There’s one thing I hate about password managers: the more you use them, the more vendor lock-in you have. For example, if you use a password generator that is stored on Google Chrome, the Chrome browser will save your password for future use, but if you attempt to use another browser like Microsoft Edge or Mozilla FireFox, you will not have that password saved. Worse, each password is unique and randomly generated for each website, which means you are unlikely to remember any of them. But that’s the good thing — password managers create amazingly strong passwords that will increase your Internet security in a way that you couldn’t do yourself.

Check If You’re Already Compromised

It’s unlikely that a hacker will magically guess your password through login attempts on a website — by the time they are trying to log in, chances are they already obtained your password. A good way to check if your username/password or other information was leaked is to enter your email address(es) on HaveIBeenPwned. That website monitors the Internet to find emails that are traced back to data breaches. It’s a free service that also alerts you via email every time it finds one of your emails in a data breach. If you’re ever notified, then it’s a good idea to change your password immediately on the compromised account, as well as on other accounts that have the same password.

Business | Tech | Practical Startup Tips

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store