How Password Cracking Works

How Password Cracking Works

“Error! Password must be more than eight characters long and must contain a number.”

How many times have you seen this message on a sign up screen and cursed the developers for programming it in? I’m here to tell you you’re not alone!

The truth is, password cracking is easier than you think so it makes sense to have a secure password.

In simple terms, when you create an account on any website, your username is associated with your chosen password. This information gets sent back to the server and stored to enable access to your account. Now it’s the company’s job to keep it secure.

But how?

Before the password is sent to the server for storage, it will go through one or both of the below operations. Computers work by using math so both operations are algorithms.

1. Symmetric Encryption

This operation replaces each letter and number of your password with a different one for storage using the rules created by a “master key”. For example, your password is Fido1. The algorithm will convert it to something like R7gb9.

In order to crack the password, you would need to know that the master key replaces capital “F” with capital “R”,  lowercase “i” with the number 7 etc.

The main characteristic of this method is the “master key” remains the same for each password. Every capital “F” will be converted to a capital “R”.

2. Hashing

Hashing uses a similar method to replace the real password with a nonsensical string of letters and numbers. However, instead of using a master key, it uses a unique key for your account.

When you create a password, it generates an unlock key called a “salt” which is stored together with your password. This means that if a hacker was to gain access to all the files, they couldn’t use one key to unlock them all and would need to do it one by one.

So how could your password get cracked?

1. Full server breach

In rare cases, the server itself may be hacked. This means that the hacker gains access to all the files. That is, your username, encrypted password and the master key to unlock it.

From there, it’s a race against time. The company sends out a bulk email asking everyone to change passwords. If you do it before you account is cracked, you’re safe. If you delay, the hackers get your information.

Although extremely serious, this only happens with very small personal websites where security isn’t considered and everything is stored on one server.


2. Partial Server Breach

This is where the hackers gain access to your username and encrypted password but don’t obtain the master key. You might remember the Adobe security breach and the huge scandal around Ashley Maddison.

That means the hackers now have possession of your encrypted password but cannot use it. What they need to do is reverse engineer the algorithm or brute force each username.

Depending on the complexity of the algorithm, this can take hours or years. Brute forcing is an easier way to gain access to the accounts.

3. Your weak password


More often than not, password cracking has nothing to do with the company’s security but the user’s carelessness. A hacker can gain access to your email by simply searching your name online. It will be listed somewhere.

Did you know “password” is the most commonly used password? Followed by “admin” and “123456”. If a hacker was to gain possession of your email, they could easily try those combinations manually.

If those don’t work, they create an algorithm to try, password, password1, password2 etc.

If you happen to use the same password for multiple websites, it only takes one to know them all.

For instance, you use your password “Fido1” on a badly secured site that gets compromised. The hacker now knows you use this password. From there, they can manually check your Facebook, Twitter, Instagram and banking websites.

If you made the mistake of using the same password, you’ve just handed over all of your accounts and information to the hacker.



Most people worry about the security of the website they use and whether their information is stored safely. As you can see, password cracking by hacking a server is incredibly hard and in some cases, impossible.

However, getting hacked from using an easy password is very common.

What to do:

  • Use a long and complicated password including letters, numbers and alphanumeric characters. Instead of “Fido1” you can make your password “!#MyDogFido$! or “FidoDigUnderTreeFence” 
  • Use a different password for each website (or at least a group of websites)
  • Don’t write down your passwords in a digital document on your computer. Your computer is much easier to crack then a secure server.
  • Change passwords often, at least every 6 months

Want to know more about hacking? Check out our post on how to prevent IP camera hacking.