MTE Explains: How Password Cracking Works And What You Can Do to Protect Yourself

“Error! Your password must be more than eight characters long and must contain a number.”

Do you feel bothered when you come across messages like this? You are not alone. In a rush to get things done, many users get frustrated when they come across such messages, because they feel that it is a troublesome task to create a complicated password where they can’t remember. However, most people don’t realize that it is actually very easy to crack passwords. It only takes five minutes to hack a lower-case-only password with six characters or less. Knowing all of this, you should be asking yourself these questions: How does password cracking work? How can I protect myself? This article unveils the hidden tactics of malicious hackers.

password cracking dangers

Cracking passwords is actually a very delicate process. It requires special techniques and special software. Hackers can try to crack your password by using simple logic or special software to get the job done. Hackers that guess your password are the ones that already know some information about you. This may be a close friend or associate. Guessing passwords involves using different personal name or hobby combinations, because people often include them in their passwords.

Methods Hackers Use to Guess Passwords:

  • Name combinations (i.e. jamesbrown, jbrown, brownj, jamesbrown, jbrown, brown, etc.
  • Hobbies. (i.e books, movies, celebrities, athletes, songs, cars, etc.)
  • Important year or number (jamesbrown1, jbrown1, brown1991, etc.)

If guessing the password doesn’t work, hackers use special software to crack it. These specialized applications often use two techniques: dictionary and brute-force. Dictionary attacks scan through a list of preset passwords. For example, a hacker can make the software scan through a list of words from an actual dictionary or from a list of the most commonly used passwords. Many websites provide these lists for free. Interestingly, as much as 75 percent of the Internet population have passwords that are only in the top 500.

stop password cracking

If a dictionary attack doesn’t work, the hacker will resort to a brute-force attack. A brute-force attack uses every possible combination of letters, digits, and special symbols to determine the password. This is where the importance of a strong password comes in. The more simple your password, the faster it will be cracked by a brute-force attack. Therefore, if your passwords is “12345” or “QWERTY”, it will be hacked within minutes – even seconds. In contrast, an eight character password with uppercase and lowercase letters takes about four months to hack. Even more impressive, it takes over a 100 years to crack an ten-character password with upper and lower case letters.

Some hackers avoid the mentioned methods altogether. Instead they create phishing sites and send phishing emails to get you to reveal your own passwords.


While it may seem like hackers are just too sly to avoid their wicked schemes, you can actually protect yourself. To do this, you must acknowledge the seriousness of the issue and take the necessary steps to prevent an attack.

Quick Tips: You should have at least three main passwords for the Internet. One for your main email address, another for your recovery or backup email address (in case the main one is hacked), and yet another for auxiliary websites (Facebook, LinkedIn, and Twitter, etc.). Each of those passwords must be strong.

Create stronger passwords. Your passwords should be eight or more characters in length. Ideally, it should have digits, special characters, lower case and upper case letters. Cracking a password this strong through brute-force will take centuries. Do not use a word in the dictionary, even if it is a long one (i.e. Mississippi, Antidisestablishmentarianism, pseudopseudohypoparathyroidism, etc.).

Plan ahead. Some people refrain from doing this because they are afraid of forgetting their password. If this is the case, write it down or save it to somewhere safe. Try to log in with it every day for about a week. In time, that password will be tarred to your brain. Alternatively, use a Password manager, such as LastPass or Keepass to remember your password. In this case, you only need to remember one master password.

Don’t use the same password for your primary email and subsidiary websites. Time and again, people use the same password for their main email and other websites such as Facebook, LinkedIn, and Twitter. By creating a different password for your email and other websites, you prevent the hacker from accessing your email address. If your accounts for other sites have been hacked, you can use your email to recover it.

Enable two-step verification. This feature adds another layer of protection – a tough outer armor, so to speak. In addition to a password, two-step verification send you a notification to your mobile device. Since you are the only one who has the device and can confirm the notification, hackers cannot access your account even if they know your password.

Some people reason that they have nothing to lose because they don’t use the Web for anything serious. Well, hackers may use your information for something serious – even dangerous or illegal for that matter. For instance, suppose that a hacker gained access to your email. He may use your name and credentials to send a plethora of spam messages to others. Something like this deeply grieves your reputation even if you are not an avid Internet user. The point is this: it doesn’t matter who you are; if you use the Web, you need strong passwords – period!

Image Credit: Scott Schiller,Pedro Dias


  1. Would have liked more technical detail on the actual cracking process. For example, with brute-force attacks, how does the attacker get around the fact that most websites only allow a few attempts before locking you out?

    Also, when some big website reports that it’s had its “file of passwords” stolen, what does this really mean? Here’s what I think it means, but I could be wrong:

    As a rule, websites don’t store your actual password in plaintext (that would be madness!), but instead they store a “hash” of your password: a number that is generated by running a complex algorithm on your actual password. The algorithm is such that it’s easy to generate the hash from the password, but very hard to recreate the password from the hash. Cracking the password means coming up (by brute force trial and error) with a string of characters that matches the stolen hash when run through the hashing algorithm.

  2. Hi Rob, we actually had all of this mind while writing this article. This article was intended to underscore on some of the basic methods hackers use to crack passwords . There are many ways to hack passwords: keylogging software, phishing, rootkits, sql injection, etc. If all of this were to be included, we might as well write a book.

Comments are closed.

Sponsored Stories