How to Crack a Password

How to Crack a Password


For some reason, whenever people find out that I’m a programmer, the first question I usually get asked is ‘So can you hack a password?’ Programming and password hacking are two different skills but I figured if it intrigues so many people then maybe its time to answer the question, HOW DO YOU CRACK A PASSWORD??

How are passwords stored

The first step to understanding how to crack a password is to understand how passwords are stored. Passwords aren’t usually stored as plain text (at least they shouldn’t be). Instead they are stored in the form of a password hash.

A password hash is when you take a clear text string and perform an algorithm on it to get a completely different value. A hashed password is preferred to an encrypted password because anything encrypted can be decrypted whereas a hash is one-way and it is impossible to get the original password from the hashed string.

For example, if your password is 12345 and the hashing algorithm you are using hashes by reversing each password and adding ‘abc’ at the end then the password hash for 12345 is ‘54321abc’ and the hash for ‘iamagod’ is ‘dogamaiabc’. The hashed password is then what is stored in the database.

How hacks happen

What normally happens is, a database is stolen and a hacker will try different algorithms on the different plain-texts of their choice until they find a hash that matches the hash in the database.

Online and Offline attacks

An offline attack is where a hacker can copy a users password hash and work on it until they have cracked it and then they can later login with the cracked password. When a website is breached and has their database stolen, the password hashes will be in there. A hacker will analyze the hashes, and see which hash algorithm they use, and then brute-force them.

An online attack is when a hacker has to be logging into your actual account with each password try. This is much harder to do because secure websites have a limit on the number of times a password can be entered. Without access to a websites database or a persons password hash, only an online attack can be done and that is extremely difficult.

Brute Force Attacks

A brute force attack is a trial and error cracking method where a program is used to try every possible character combination until it gets the password. This is probably the easiest way to hack a password though it can take very long to do. The cracking time is determined by the speed of computer and complexity of the password.

How to do a Brute force attack in Windows

STEP 1: Download HashCat
STEP 2: Create a hashed password using an MD5 password generator and add it to a .txt file

My hashed password stored in a ‘hash.txt’ file is;


STEP 3: Open the command prompt in windows and navigate to the HashCat folder. This article explains how to navigate between folders in the command prompt if you are unfamiliar with that.

STEP 4: To use HashCat, the command should have the following syntax:

hashcat64.exe [options]... hash|hashfile|hccapfile [Dictionary|File|Directory]

This was my usage and this will be different for you depending on the type of algorithm you used and how you have stored your hashes.

hashcat64.exe -m 0 -a 3 -o "C:\Users\Seda\Documents\cracked.txt" --outfile-format=2 C:\Users\Seda\Documents\hash.txt -1 ?l ?1?1?1

-m : refers to the hash type. Type 0 is MD5
-a : refers to the attack mode.  Mode 3 is Brute Force
-o : refers to the output file of the cracked passwords
--outfile-format : refers to the format of the output. Format 2 is for plain text
-1 ?l : this is a description of the type of characters to check for. ?l checks only for lower case letters from a-z
?1?1?1 : This is a mask that represents the maximum number of characters in the password. In this case there are only 3. 

Learn more about masks here. For a more detailed description of the different options you can use for an attack, see this guide.

hashcat brute

This hash was cracked in 19 minutes and I can find my clear-text password in the cracked.txt file.

hashcat brute

Dictionary Attack

A dictionary attack is another common type of password hack. It is similar to a brute force attack except instead of trying every possible character combination which could take years, a dictionary is used.

Hackers basically have very large text files that include millions of generic passwords, such as password, abcd1234, admin, or 123546789. (If I just said your password, change it now!!)

You might think that checking millions of passwords would take many years but hackers use programs (e.g HashCat) that can check over 5000 passwords per second.

How to do a Dictionary attack

A dictionary attack can also be done using HashCat. The command is similar to the brute force attack. The only thing that will change is the attack mode option. In a brute force it was -a 3. For a dictionary attack it should be -a 0.

You would also need to include the dictionary you are using, which are called wordlists. You can create your own or download an existing one.

hashcat64.exe -m 0 -a 0 -o "C:\Users\Seda\Documents\cracked.txt" --outfile-format=2 C:\Users\Seda\Documents\hashes.txt C:\Users\Seda\Documents\wordlist.txt
hashcat dictionary

Notice how much faster this attack is? It took 19 seconds to check 63,941,069 words.

After the above execution, I checked the ‘cracked.txt’ file and found my 3 passwords.

cracked dictionary

Rainbow table attack

A Rainbow table is a huge pre-computed list of hashes for every possible combination of characters. It is almost similar to dictionary attack, the only difference is, hashed characters fill up the dictionary instead of normal ones so the password cracking time is reduced to the time it takes to look it up in the list.

Software such as WinRTGen can be used to quickly create rainbow tables. Creating a rainbow table for complex passwords with different types of characters takes very long to do which is why it is advised to create complex passwords.


Phishing is the easiest and popular hacking method used by hackers to get someone account details. A hacker will send a fake page of real website like Facebook, Gmail, online banking, payment or other site to victim. When someone logs in through that fake page his details are sent to the hacker. Fake pages like this can be easily created from places like CloneZone and can be hosted on free web-hosting sites.

It is advised to avoid logging into sensitive websites from someone else’s computer and to always check that URLs are correct before you enter your login details.

Key Logger Attack

In this type of attack, a hacker uses malware installed onto a persons computer to track all of a user’s keystrokes. So at the end of the day, everything the user has typed—including their login IDs and passwords—have been recorded. Such malware is freely available for download.

Clearly, hacking a password is not a very difficult task. To avoid getting your password cracked, here are a few tips to remember.

  • Use a password generator or manager to create a truly random password.
  • Never choose a name as a password. Every name in the dictionary will fail in a dictionary attack.
  • Use a different password for everything. If you use the same password for Gmail as you do for some other less popular site, and the less popular site is hacked, you’re Gmail can be hacked.
  • Long passwords take longer to crack than shorter ones. Remember that.
Seda Kunda is a web designer and developer with a degree in Computer Science and a great passion for code. Besides code, she enjoys pepperoni pizza, watching the bachelor and sleeping in on Saturdays.
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn