We've said it before, and we'll definitely say it again: traditional passwords are the weakest link in the cybersecurity chain. In fact, 82% of all data breaches come down to avoidable human errors — like easily guessable passwords and other poor security practices that can put a user's online accounts, data, and assets at risk. The good news is that the cybercriminals behind "password cracking" attacks tend to follow predictable patterns and resort to the same methods time and again to ensnare unsuspecting users and developers. By brushing up on the most common attack vectors and learning which red flags to watch out for, you can stay one step ahead of the hackers and keep your app (and your users) safe. In this post, we cover the basics of password attacks, review ten of the most popular password cracking tools and tactics, and share expert tips to ensure they don't work on you.
Password cracking, also known as password hacking, is any type of cyber attack that involves intercepting or otherwise compromising user passwords. The ultimate goal is to "crack" (or successfully guess) the passwords that are used to protect sensitive accounts. Hackers can then use stolen credentials to breach or take over a user's account and gain access to sensitive data, confidential business records, and other valuable online assets. They may do this for material gain, for an ideological cause, or even just for fun.
Password cracking can be divided into two categories: online and offline attacks. In an online password attack, a hacker attempts to enter the correct password on an app's login page, directly on the server. Online password attacks can be challenging to carry out, as they're limited by the speed of the network. They're also relatively easy to detect, due to the web noise generated by constant login requests. On the other hand, offline password attacks provide hackers with more time and flexibility. In an offline password attack, a hacker intercepts one or more password hashes — algorithms used to encrypt passwords, converting plaintext passwords into unintelligible strings of letters, numbers, and symbols, so they're harder to read and recognize when stored in a database. The hacker can then take these password hashes offline and unencrypt them using a password cracking tool.
There are many types of online and offline strategies cybercriminals use to crack user passwords. Ten of the most common include:
In a brute-force password attack, a hacker tries to access a secure user account through trial and error. This typically involves systematically entering every possible combination of letters, numbers, and symbols into a password field until one works. Today, almost all brute force attacks are carried out by bots, or automated software that can be programmed to carry out repetitive, predetermined tasks. Among other actions, bots can randomly generate passwords and quickly enter them into an app or website. This eliminates a lot of the time and hassle required to mount a brute force attack, making it a much more efficient and attractive method for hackers. Simple cybersecurity measures — like account lockout systems, which block entry to certain IP addresses after a certain number of incorrect login attempts — can thwart a basic brute force attack. That's why, in recent years, hackers have developed the more sophisticated brute force methods outlined below.
A password spray attack is a type of brute force attack in which, rather than trying many random passwords against a single account, a hacker tries the same password against many user accounts at once. This allows them to get around rudimentary security measures like account lockouts. To maximize the impact of password spraying, hackers often employ weak or commonly used passwords (such as "password" or "123456") in their attacks, which they can source from public reports like NordPass's annual list of the 200 most common passwords.
Credential stuffing is another brute-force technique. In a credential stuffing attack, hackers use compromised credentials (which they've purchased from the dark web or obtained from a data breach) to log in to other, unrelated user accounts. Unlike a traditional brute force attack, credential stuffing attacks aren't entirely random, as they rely on known username and password pairs. Since users tend to recycle the same credentials across multiple accounts, it's likely that one breached password will appear again on one of the other apps or websites that they use.
In a dictionary attack, a hacker systematically enters common words and word variations from a specific, preselected list — kind of like a hacker "dictionary." A dictionary attack can be tailored to a specific group or region that a hacker is targeting. For example, a hacker might use terms and phrases related to local businesses, landmarks, and sports teams when mounting a dictionary attack against a particular company or city. While custom dictionary attacks can be dangerously effective, they tend to only work when users employ ordinary, everyday terms as passwords. That means enforcing strict password rules — like requiring users to create strong passwords with unique, randomized strings of characters — can be enough to prevent a dictionary attack.
A mask attack is similar to a dictionary attack, but it's a far more targeted brute-force technique. In a mask attack, a hacker analyzes recognizable password creation patterns and/or password hashes they've picked from known data breaches and uses them to apply a filter (or "mask") to their dictionary list of possible passwords. This dramatically reduces the total number of password guesses they must make for a given account, resulting in a much more efficient attack.
Spidering is also intended to support a dictionary attack and similarly requires some dedicated effort on the part of the hacker. In a spidering attack, a hacker gets to know their intended victim — generally, a larger, more established company — by studying their internal and external communications. This can include social media posts, web content, employee handbooks, product manuals, and even marketing style guides. From there, the hacker can compile a list of identifying information and common keywords and business/product terms that are unique to the company. They can use these terms to generate a shortlist of possible credentials, which makes guessing passwords on key corporate accounts that much easier.
Man-in-the-middle (MitM) attacks involve eavesdropping on or otherwise intercepting sensitive communications between the app or website a user is connected to and another, separate platform. MitM attacks can take active or passive form. Active MitM attacks often manifest as session hijacking, where a hacker spies on web traffic over a given network, identifies active session IDs, and then uses the attached session tokens to breach a user's account. In a passive MitM attack, a hacker might create a free, public wifi hotspot, like the kind offered at airports, cafes, and public parks. They then get a full view of all of the online activities and data exchanges carried out by unsuspecting users who join their fraudulent network.
Rainbow tables are comprehensive directories that use a password hash algorithm to list out every possible plaintext version of an encrypted password. Think of it like a hacker "cheat sheet" that allows cybercriminals to skip the work of actually having to hack passwords or a password hash themselves. In a rainbow table attack, a hacker consults this directory and matches the list of solved password hashes to encrypted passwords they find in a breached database, allowing them to successfully sign in to a user's account.
A phishing attack is less about cracking passwords and more about getting users to share them voluntarily, albeit through deceitful means. Essentially, phishing is a form of social engineering. In a typical phishing attack, a hacker sends their intended victim a persuasive message via email or text, hoping to trick them into sharing their credentials or other sensitive information. This can happen by way of a fraudulent link that, when clicked, downloads malicious software on a user's device, or via a spoofed website that gets the user to type their credentials into a fake login screen. Phishing attacks can be random, or they can target specific individuals or organizations. A common example of a random phishing attack involves an email scam, in which the author pretends to be the executor of a will, which they claim comes from a recipient's (fictional) long-lost relative. This fake executor promises to transfer a large sum of inheritance money to the recipient, but claims they need the recipient's bank account credentials in order to wire the funds. Of course, if the recipient provides these credentials, the hacker behind the scheme will simply breach their account and quickly drain their balance. A more targeted phishing attack, on the other hand, might mimic the messages a certain company sends to help users reset passwords. By clicking an embedded reset-password link and/or entering their credentials, a user is actually giving a hacker access to their account or allowing them to install dangerous programs on their device.
Malware, short for "malicious software," refers to programs that are designed specifically for stealing passwords and other private information from a device where they have been (often unknowingly) installed. Malware can piggyback on a link embedded within a phishing text or email, or it can hide within attachments, files, or websites that a user is tricked into opening or downloading. Malware can take many different forms and work in a number of ways. Two categories of malware that can be used to crack passwords are:
Password cracking tools help hackers, well, crack passwords. They're especially useful in offline password attacks, where there might be thousands or even millions of possible plaintext combinations for each of the password hashes uncovered in a database breach. In this case, the right cracking tool can do all the computational work, applying strategic algorithms and machine learning to unencrypt each hash. Some of the most popular password cracking tools include:
John the Ripper (JTR) is one of the oldest and most well-known password crackers on the market. It's a command-based app that works in Linux and Mac OS environments, and it can automatically detect and support a wide range of hash types and ciphers. While John the Ripper's basic platform comes as free, open-source software, there is also a "pro" version of the app that includes a more extensive wordlist, as well as support for specific operating systems.
Another leading password cracker is Cain and Abel (frequently shortened to just Cain). It's available for Windows only, and it uses a graphical user interface (GUI) format, which makes it particularly attractive to amateur or beginner hackers. Much like John the Ripper, Cain and Abel can recover passwords using a variety of password cracking and decrypting methods, including through brute-force and dictionary attacks.
While JTR and Cain are the two most common password cracking tools, they are far from the only available options. There are many other password crackers on the market, including platforms like Ophcrack, Hashcat, and THC Hydra, all of which can pose a significant threat to your app and your users.
There are many categories of "bad" passwords, but they all have one thing in common: they make a hacker's job easy. Here are some of the many ways users actually give cybercriminals a leg up:
Simply put, a weak password is any password that's easy to guess or crack. It's estimated that around 30% of internet users have fallen victim to a data breach because of a subpar password. A password can be weak for various reasons. Users might keep the default passwords they're given to set up an account and then forget to upgrade to a more secure password once they're logged in. Or they might resort to simple words and phrases (the kind that end up in the NordPass list mentioned above) or familiar, meaningful terms (like their dog's name) because they find more complex passwords difficult to remember. For reference, nearly a quarter (24%) of internet users admit to using common passwords like "abc123" and "Qwerty," while 59% have included a family member's name or birthday in their credentials. That's not great.
Users are opening more and more accounts online, and they're finding it difficult to keep track of their proliferating passwords. Many end up recycling the same credentials across many different sites and apps, rather than using unique passwords for every new account. Recent studies have found that password reuse is very common. In fact, 52% of surveyed users report reusing the same password across multiple apps and websites, and 13% use the same credentials across all of their online accounts. That means, if a hacker gets hold of one set of credentials using any of the above password cracking techniques, they have everything they need to break into some or all of that user's other accounts.
As mentioned, users will sometimes connect to free, unsecured wireless hotspots when using their device in a public place like a park or cafe. In some cases, these are not legitimate wifi networks, but hackers mounting a man-in-the-middle attack to spy on unsuspecting users, which can leave their passwords (and their data) vulnerable.
When it comes to traditional passwords, there's no bulletproof security measure that will prevent every single password cracking attempt. But there are some steps you can take to make a password attack much more challenging and inconvenient to carry out. Some simple best practices include:
Creating strong passwords (as a user) and enforcing strict password policies (as a developer) can help thwart basic brute-force attacks. This might include:
The LUDS system requires all users to include one or more lowercase letters (L), uppercase letters (U), digits (D), and special characters (S) when creating a new password. This increases the number of permutations a hacker would need to try to successfully mount a brute-force attack. You can also choose to reject any password containing a recognizable word or phrase, protecting against targeted dictionary, masking, and spidering attacks. As we’ve covered in our approach to strong passwords, though, LUDS has a few big shortcomings:
Given the weaknesses in the LUDS system, Stytch suggests services like zxcvbn, a flexible strength assessment based on how resistant a password is to modern password guessing techniques. Named after the same keyboard area as “qwerty” (just two rows down), it’s designed to make picking a strong password easy for humans to generate and hard for robots to guess. Zxcvbn works by first searching for matches to your user’s password in a list of common passwords, common names, common words, etc. If a match is found, it returns a score based on the match’s dictionary and pattern rank. There are many different ways to use it, but typically it’s implemented on the application side of a product, and not as commonly for individual users. The zxcvbn library is available in a variety of programming languages, including JavaScript, Python, Go, PHP, Ruby, and more. (You can also use an API like Stytch, which incorporates the zxcvbn method into our Passwords product.)
HaveIBeenPwned offers both an individual-friendly website and a developer-targeted API that both monitor the web for stolen credentials in order to alert users and companies of those credentials’ insecurity. You can search for compromised emails, phone numbers, domains, passwords, and websites, and can even sign up for email notifications to notify you if one of your accounts has been compromised. While you can use HaveIBeenPwned as an individual user, you can also integrate it into your product via their API, which checks whether a user’s email address or password has been exposed in a data breach. If it has, the API will return a list of the data breaches in which the user’s information was compromised. This is what Stytch has done in our breach-resistant password solution.
A password manager is software that helps users manage their passwords by encrypting them and saving them locally on a user's device. Stored passwords are then automatically pulled up whenever a user wants to log in to the associated account. Some password managers, like Google Password Manager, will even suggest a strong password at signup, ensuring secure practices are built into every stored credential. While password managers are effective tools, as a developer you can’t assume your users are using them. Adoption remains low, and growth in adoption still rather modest.
A password "salt" is a random string of 32 or more characters that's added to a password before hashing. Salting makes it nearly impossible for hackers to comb through a database and recognize a hashed password in order to mount an offline attack or apply a password cracking tool. As we’ve pointed out in our article on hashing, though, salting on its own is not that great a protection. Only when combined with the best hashing algorithms does salting really have a significant effect on password security.
Finally, educating users about different password attacks can help them avoid falling victim to common schemes — especially when it comes to social engineering tactics like phishing. Education is also a great precedent to set if you’re interested in gradually transitioning your users to a passwordless authentication solution. We’re strong advocates for this at Stytch where it makes sense for our customers, and if customers aren’t ready a great place to begin is through friendly, approachable education that helps make your users more auth-savvy.
Adding extra steps to your signup and login flows can help you differentiate between a legitimate user and automated bot traffic. At Stytch, we offer and see the benefits in two main approaches to bot detection: device fingerprinting and StrongCAPTCHA.
Device fingerprinting is a way to identify devices that are accessing a website or application. A device’s identity can be composed of a number of attributes that an application detects when the user accesses the site or app that are then associated with a unique ID. Unlike cookies, which are stored client-side, device attributes and IDs are stored in a server-side database, which the website or app can then use to check against future behavior from their users. Note though that not all device fingerprinting solutions are created equally: a large part of their efficacy depends on the kinds of attacks a given app or service is suffering from, the sophistication of their attackers, and how their auth flow responds to possible fraud without creating undue friction for their users. Fingerprint attributes like IP address are easy to detect but are also easy to fake or obscure through VPNs – the best fingerprinting solutions combine a multitude of factors, and also allow for a range of escalation procedures to further investigate the identity of a user. If you’re interested in learning more, check out Stytch’s own Device Fingerprinting solution.
The most common bot-detection technology is the CAPTCHA test, which has users pick out objects like motorcycles and crosswalks from a lineup of images to prove they're human before they can access their account. While traditional CAPTCHAs have recently fallen prey to a cottage industry of CAPTCHA fraud, next-generation versions — like Stytch's Strong CAPTCHA solution — have emerged to bridge this security gap.
Multi-factor authentication (MFA), which includes two-factor authentication (2FA), takes a layered approach to auth, requiring two or more identity credentials before a user can access their account. This might include a traditional username-and-password pair (factor 1), plus a security question (factor 2) and a one-time passcode sent via text or email (factor 3). These factors can all be front-loaded at initial login, or they can be interspersed throughout the user journey, with extra auth steps (and thus, extra friction) introduced only for especially sensitive actions — like if a user wants to change their payment details. This is known as "just-in-time" authentication. The best MFA flows today are unphishable, meaning they avoid any type of auth factor that can be intercepted by a determined hacker.
When it comes down to it, the only surefire way to stave off a password attack is to eliminate passwords altogether. Today, there are many secure, frictionless, and completely passwordless authentication solutions that are easy to implement and to use, from one-time passcodes and embeddable email magic links to seamless biometric factors and WebAuthn. As adopting such passwordless solutions gets even easier — slowly becoming the norm for online life — we'll finally make password cracking a thing of the past.
Stytch is committed to fighting any and all password cracking methods that can put your app and your users at risk. That's why we offer a full suite of modern passwordless products — as well as Breach-Resistant Passwords that build strength assessment, breach detection, and account deduplication measures into every signup and login flow. To learn more about our platform, get in touch with one of our cybersecurity experts — or register for a free account to try our solutions first-hand.