It’s no surprise that successful data breaches can frequently be traced back to weak or stolen passwords. Research for the 2023 State of the Phish report from Proofpoint found that only 31% of working adults manually enter a unique password for each work account. Worse, 8% of them even gave out their passwords in threat situations.
These worrying statistics underscore the risks that poor password management pose. When users don’t take password safety seriously, the attack surface of an entire organization is exponentially increased.
To help your organization significantly reduce its risk of data loss and account compromise, we’ve put together a list of some of the most common password cracking techniques, how they work, and tips for keeping your organization safe.
What is password cracking?
Password cracking typically refers to the process of recovering scrambled passwords. It can be used to help a user get back a forgotten password or to help a system administrator check for weak passwords. But more often, password cracking is used by bad actors to gain unauthorized access to systems and resources.
As an attack vector, password cracking is incredibly varied. Threat actors use specialized tools, multiple techniques and even blend complimentary tactics to boost their chances of success. To get a clearer picture of how they all fit together, it helps to understand that attacks typically fall into two categories:
- Password guessing
- Password cracking
Strictly speaking, password guessing and password cracking are not the same thing, even though the terms are often conflated. Password guessing is an online technique where a bad actor uses various combinations of characters in a process of trial and error. In contrast, password cracking refers to an offline process where an attacker attempts to decipher plaintext passwords from their encrypted forms. Because these techniques are typically lumped together, we’re covering both of them here.
5 Common password cracking techniques
While there are multiple ways that threat actors crack passwords, here are a few of the most common:
1. Brute-force attack
With this relatively old but effective attack method, bad actors use automated scripts to try out possible passwords until the correct one works. Brute-force attacks can be very time consuming because they take a systematic approach to trying all possible permutations of characters in a sequence. The longer the password, the longer it takes.
Brute-force attacks are most successful when users have common or weak passwords, which can be “guessed” by tools in a matter of seconds. Cracking a strong password might take a few hours or days.
Admins who want to defend against to these attacks have several options, including:
- Limiting the number of times a password can be tried
- Blocking an IP address after it has attempted—and failed—to enter the correct password after a certain number of times
- Locking accounts after a certain number of unsuccessful login attempts
- Imposing a time delay between attempts
- Increasing the level of effort, like adding a CAPTCHA or adding multifactor authentication
2. Dictionary attack
These attacks are similar to brute-force attacks, but they’re less about quantity and more about quality. In other words, instead of trying every possible combination, bad actors start with the assumption that users are likely to follow certain patterns when they create a password. So they will home in on the most likely words rather than trying everything.
Some users pick easy to remember passwords, like “password” or “123abc.” Others follow predictable patterns that can vary by region—users might pick words related to their favorite sports teams, local landmarks, city names, and so on. So, for example, a New Yorker might choose “yankeefan1998.” Attackers collect lists of likely passwords into attack dictionaries. Then, they augment likely passwords with numbers, letters and characters for longer passwords.
While these lists aren’t as long as those used in brute-force attacks, they can be quite large. So attackers use automated scripts to try each password on a username until they’re locked out.
3. Credential stuffing attack
With credential stuffing, bad actors take advantage the tendency for users to reuse the same usernames and passwords for multiple accounts. As more credentials are exposed through data breaches, the opportunity for these types of attacks is growing.
Here’s how it works. Pairs of compromised usernames and passwords are added to a botnet that automates the process of trying those credentials on multiple sites at the same time. The purpose of these attacks is to identify account combinations that work and can be re-used across multiple sites.
These attacks have a relatively low success rate, but the impact of a large-scale botnet attack is often anything but small.
4. Hybrid attack
When users change their password, they’ll often add a few extra numbers, letters or characters at the end. Hybrid attacks take advantage of this tendency.
Often, hybrid attacks are a mix of dictionary attacks and brute force. In this case, a bad actor may get a user’s compromised password for one site. The user learns it has been compromised and changes it. The attacker will now try out variations of the old password using a brute force method that automates the additions of numbers, letters and more.
While this method is more time-consuming than a simple dictionary attack, it’s faster than a brute-force attack.
5. Rainbow table attack
To keep passwords safe, any responsible organization that stores passwords won’t keep them in their original plaintext form. Rather, they use a hashing algorithm to convert passwords into a string of seemingly random letters and numbers. They might even hash this output a second time in a process called “salting” to make the password even more difficult to crack.
But there are only a limited number of hashing algorithms. And they hash the same passwords the same way every time. As a result, attackers can develop databases of common passwords that they’ve been able to decode. Once they have deciphered a password, they store it in a database called a rainbow table.
When attacker gets a new hashed password, they check to see if it matches any of the precomputed hashes stored in their rainbow table. The downside to rainbow tables is that they take considerable time and effort to create. And they often don’t work on passwords that have been salted.
Tips to protect your organization against password attacks
Safe passwords may seem like a trivial piece of your cybersecurity strategy. But passwords are the most common way that cyber criminals gain unauthorized access to confidential data and systems. That makes strong passwords essential to keeping your organization safe. All types of businesses, organizations and institutions can benefit from these password best practices:
- Create strong password policies. Users don’t typically have the best password hygiene. Consider a password policy that requires a minimum passphrase length (ideally greater than 20 characters), requires the use of special characters, and forces users to reset their passwords regularly.
- Use multifactor authentication. When MFA is used, password cracking is mostly neutralized (though a growing number of attacks employ MFA-bypass techniques). An attacker might figure out a user’s password, but in many cases, they still won’t have access to the secondary authentication method.
- Encrypt, hash and salt passwords. Both encrypting and hashing exponentially increase the effort and the computing power that’s required for attacks. And salting makes the process that even harder.
- Update systems regularly. When systems aren’t updated, malware that tracks users’ keystrokes can infect emails, files and applications. In these so-called keystroke attacks, bad actors gather user credentials and other sensitive information. Updated systems can prevent these attacks.
By implementing these measures, organizations can effectively stop sensitive information from ending up in the wrong hands.
The future of password security
There’s no doubt that passwords have security issues. That’s why the popularity of password-less authentication is on the rise.
Password-less authentication is generally believed to be more secure than standard passwords. It works by enabling users to prove they are who they say they are by matching them with something unique to them, like their voice or a security token. These security methods are commonly used with two-factor authentication (2FA). Here are a few examples:
- Biometrics. With this method, a user’s unique characteristics, like their fingerprint, palmprint, voice or face, are saved and encrypted. When a user wants to log in, they verify who they are by resubmitting their biometrics.
- Time-based one-time password (TOTP). This a temporary passcode is generated by an algorithm. They are typically six characters long and change after 30 or 60 seconds. Google Authenticator and Microsoft Authenticator are two good examples. In another variation, the user scans a QR code using a specific smartphone application—and then that app generates the TOTP for the user.
- One-time pin (OTP). When a user attempts to login, an OTP—typically a six-digit code—is sent to their cell phone number via short message service (SMS) or email. The user has a limited amount of time to enter that code in the system. In another variation, a unique hyperlink is sent to the user who then clicks that so-called magic link to login.
- Push notifications. This method authenticates a user by sending a message to a secure application on their mobile device. When the user gets the notification, they can approve or deny access or view more details.
Password-less authentication is resistant to most password cracking methods. Plus, it alerts users if something is wrong. The disadvantages are that it’s more complex and often requires outside systems to function. So while the future of password security is moving towards being more secure, it’s not necessarily more user-friendly.
How Proofpoint can help
Proofpoint TAP Account Takeover helps businesses defend their email and cloud environments from threats, including:
- Brute-force attacks
- Business email compromise (BEC)
- Data exfiltration
- Attackers’ persistent access
Our solution provides insight into what types of threats are targeting email accounts. And, if an attacker manages to gain access to an account, it gives you the tools to take corrective action to protect that account.
For more information, see the Targeted Attack Protection data sheet or contact your Proofpoint sales representative.