I want to start this lesson with a demonstration. By the end of it, I’m betting most of you are going to open a password manager and start changing things and understand how hackers crack passwords in seconds.
Most people know “longer is more secure.” But knowing it intellectually and understanding what that actually means against real hardware are very different things. We’re going to look at this with actual numbers. A modern consumer GPU tests 400 billion password guesses per second. Take a moment to really picture that — four hundred billion. Per second.
I’m going to walk you through every major password attack technique, show you real terminal output from cracking tools, and give you the cracking-time table I want you to screenshot and keep. When we’re done, you’ll never think about passwords the same way again.
Attack Type 1: Dictionary Attacks — Where Every Attacker Starts
Here’s something important to understand: attackers are not stupid. They don’t start by trying “aaaaaaa,” then “aaaaaab,” then “aaaaaac.” That would take forever. They start with passwords that real humans actually use.
The RockYou2024 wordlist contains 9.9 billion real passwords collected from data breaches. These are actual passwords that real people chose, compiled into one giant list. Before an attacker runs a single brute-force attempt, they run every entry in this list first. If your password is anything a human being might reasonably choose, there’s a meaningful chance it’s in there — or something close enough that a rules attack will find it.
Attack Type 2: Rule-Based Attacks — Your “Clever” Substitutions Aren’t Clever
This is the part that surprises students the most, so pay attention. You think “P@ssw0rd!” is a good password because you replaced the “a” with “@” and the “o” with “0” and added “!”. That’s smart thinking, right?
Wrong. Attackers know you think that. They know everyone thinks that. Hashcat ships with pre-built rule files that automatically apply every common substitution pattern to every word in the dictionary. Capital first letter? Covered. Numbers at the end? Covered. Exclamation mark? Covered. l33tspeak? Covered.
“Summer2024!” takes under a minute because it’s “Summer” (a dictionary word) + a year (rule: append year) + “!” (rule: append symbol). The tool figured that out automatically. There’s no cleverness that protects you here.
Attack Type 3: Brute Force — When All Else Fails, But It Will Eventually Succeed
When dictionary and rule attacks fail, brute force is the nuclear option: try every single possible combination of characters. A, B, C… AA, AB, AC… It will eventually find any password. The only question is: will it find it before the heat death of the universe?
This is where length becomes your absolute best friend. Look at this table carefully. I want you to genuinely absorb the difference between 8 characters and 12 characters.
| Password Length | Characters Used | Time (RTX 4090) |
|---|---|---|
| 6 chars | Lowercase only | Instant |
| 8 chars | Lower + upper + numbers | 22 minutes |
| 10 chars | Lower + upper + numbers | 6 days |
| 12 chars | Lower + upper + numbers + symbols | 3,000 years |
| 16 chars | Lower + upper + numbers + symbols | Billions of years |
Attack Type 4: Credential Stuffing — The Attack That Doesn’t Crack Anything
This one trips students up because it’s not really “cracking” at all — it’s using passwords that are already known.
Here’s the scenario: you signed up for a gaming forum in 2018 and used the same email and password you use for Gmail. That forum gets breached in 2021. Your email + password combination is now in a public dump. An attacker feeds that dump into an automated tool that tries it on Gmail, Outlook, PayPal, Amazon, your bank — thousands of services simultaneously.
Your Gmail password might be incredibly strong. Doesn’t matter. The attacker isn’t cracking it — they already have it. That’s credential stuffing. And it works because people reuse passwords.
Class exercise: go check right now — SecurityElites Email Breach Checker. How many of your accounts have been in breaches? Be honest with yourself.
The Only Defence That Actually Works
After everything we’ve covered, I want to give you the single most important takeaway from this lesson. One thing. Write it down.
The only password a human cannot crack is one a human didn’t create.
Every password you invent has patterns. Patterns from your life, patterns from how humans construct memorable strings, patterns from the “clever” substitutions you think no one else has thought of. All of those patterns are in hashcat’s rules. All of them.
A 16-character string generated by a password manager — kX9#mP!vL2@qR7nX — has none of those patterns. It’s not in any wordlist. No rule attack can predict it. The only option is brute force, and at 16 characters of full character set, that’s billions of years.
Your homework from this lesson: install a password manager (Bitwarden is free and excellent). Generate a new random password for your email account. Then your bank. Then work outwards. This is the single most impactful security action most of you will ever take.
Read more about how credential attacks work in our Exploitation guide. And for understanding how your password might have ended up in a breach database, our Data Breach News section covers the major incidents.
Frequently Asked Questions – How Hackers Crack Passwords
Can hackers crack passwords without the hash?
If the attacker doesn’t have the password hash, they need to attack the live system — which is much harder due to lockout policies and rate limiting. Password cracking in the traditional sense requires the hash, which attackers get from breaches, database dumps, or memory extraction.
Are passphrases better than passwords?
A long passphrase like “correct horse battery staple” (20 characters) is significantly harder to brute force than “P@ss1!” (6 characters). However, common phrases and song lyrics are also in attacker wordlists. The best approach is still a randomly generated password from a password manager.
What is the fastest way hackers crack passwords?
The fastest method is a dictionary attack combined with rule-based transformations. Hackers use massive databases of leaked passwords and apply variations like adding numbers or symbols. If a password matches a known pattern, it can be cracked almost instantly.
Can hackers crack strong passwords?
Strong passwords that are long, random, and unique are extremely difficult to crack. A 16+ character password with mixed symbols, numbers, and letters can take billions of years to brute force with current technology, making it practically uncrackable.
What tools do hackers use to crack passwords?
Hackers use tools like Hashcat, John the Ripper, and Hydra to perform password cracking. These tools support multiple attack types including dictionary attacks, brute force, and rule-based attacks, often accelerated by GPUs.
How can I protect my password from being hacked?
You can protect your password by using a password manager to generate long, random passwords for each account. Avoid reusing passwords, enable two-factor authentication, and regularly check for data breaches using trusted tools.
