Password Cracking

Password cracking is a common technique used during penetration testing and by malicious actors to gain unauthorized access to systems. When passwords are stored as hashes, attackers attempt to reverse the process by generating candidate passwords, hashing them, and comparing the results against captured hashes. The speed and success of cracking depend on the hashing algorithm, password complexity, and available computational resources.

Brute force attacks systematically try every possible combination, while dictionary attacks use wordlists of common passwords and phrases. Rule-based attacks apply transformations like character substitution and appending numbers to dictionary words. Rainbow table attacks use precomputed hash-to-plaintext mappings but are defeated by salted hashes. Modern tools like Hashcat and John the Ripper support GPU acceleration, dramatically increasing cracking speed.

Defending against password cracking requires using strong, adaptive hashing algorithms like bcrypt, scrypt, or Argon2 with unique salts per password. Enforcing password complexity requirements, implementing account lockout policies, using multi-factor authentication, and monitoring for credential stuffing attacks are essential countermeasures. Regular password audits help identify weak credentials before attackers do.