How Password Crackers Work (And How to Beat Them)
Reviewed by Jerry Croteau, Founder & Editor
Table of Contents
I was staring at a breach report at 11:47 PM and it made my stomach drop
I’d been messing with a login flow all day, shipping little fixes, patting myself on the back, and then I opened a fresh breach report from a vendor and saw the words “password hashes exfiltrated.” Not passwords. Hashes. And I remember thinking, honestly, okay… so we’re fine? Because hashes are “one-way,” right?
I nodded like I understood. I didn’t.
So I did what I always do when something doesn’t add up: I tried to break it myself in a controlled way and see what actually happens. And yeah… once you watch a password cracker chew through weak hashes, the whole “users will pick good passwords” fantasy kind of evaporates.
This is me walking you through how password crackers work in real life, and what you can do so they don’t work on you.
What a password cracker is actually doing (it’s not “hacking,” it’s guessing fast)
The thing is, password cracking usually isn’t some movie-style “I’m in” moment. It’s mostly math and patience and a lot of boring automation. If an attacker gets your password database, they typically don’t try to log in as everyone one by one. They take the hashes offline and guess passwords locally, as fast as their hardware allows. No rate limits. No MFA prompts. No WAF rules. Just guess → hash → compare → repeat.
And the reason this works is simple: users reuse passwords and pick predictable stuff. Names, seasons, keyboard walks, sports teams, “CompanyName2026”, or whatever. You don’t need genius guesses. You need volume.
So what’s a “hash” again? It’s basically a fingerprint of the password. You store the fingerprint, not the password. When someone logs in, you fingerprint what they typed and compare fingerprints. Same input, same output.
But here’s the part that confused me for way too long: “one-way” doesn’t mean “uncrackable.” It just means you can’t reverse the hash back into the password directly. Crackers don’t reverse. They guess.
So if your hash is something fast like unsalted MD5 (please don’t), the guesses-per-second number can be absurdly high. If it’s a slow, memory-hard hash like Argon2id, that number drops hard. That’s the whole game.
And yes, attackers use GPUs. A lot of them. Sometimes rented.
The three cracking modes you’ll see over and over
I’m going to keep this practical, because you don’t need a cryptography lecture. You need to recognize what you’re up against.
1) Dictionary attacks
They try a list of common passwords and leaked passwords. Think “rockyou”-style lists (and bigger ones). They’ll also try organization-specific guesses: product names, mascot, city, current year, and the CEO’s dog’s name if it’s on LinkedIn.
2) Rule-based / mangling attacks
This is where “Summer2026!” comes to die. They take dictionary words and apply transformations: capitalize first letter, append years, swap a→@, add “!” at the end, duplicate a word, and so on. It’s not random; it’s basically weaponized predictability.
3) Brute force / mask attacks
This is the “try everything” mode, but it’s usually constrained. Attackers don’t start with 20-character random strings. They start with patterns: 1 uppercase + 6 lowercase + 2 digits, or “wordword####”, or “????####” for four letters then four digits.
And if you’re thinking “well my users have 12 characters minimum,” cool. But if it’s “Password12345” with a minimum length policy, you didn’t really win anything. You just made the password longer.
Why some hashes fall instantly and others don’t (salt, cost, and the painful truth)
So here’s where people get tripped up: the password itself matters, but the storage matters just as much. A weak hashing setup turns even decent-ish passwords into easy targets.
Let’s talk about the three big levers you control:
Salts (unique per password). A salt is random data stored alongside the hash. It forces attackers to crack each password individually instead of using precomputed tables (rainbow tables) or reusing work across users with the same password. If two users pick the same password, their hashes should still look different.
Work factor / cost. This is you intentionally making hashing slower. You want login to take, say, tens of milliseconds on your server, because that turns into a massive slowdown for an attacker trying billions of guesses. Slow is good here (within reason).
Memory hardness. Argon2id is the usual recommendation these days because it forces memory usage, not just raw GPU compute. GPUs are great at parallel math; they’re less happy when memory becomes the bottleneck.
But… and this is the part that’s annoying… if your users reuse passwords that are already in breach lists, even the best hashing algorithm can’t save you from “they’ll try it on your login page.” Hashing protects the database. It doesn’t protect the account from credential stuffing.
So you need both: good hashing and good login defenses.
| Attacker situation | What they do | What fails | What actually helps |
|---|---|---|---|
| Stolen hash database | Offline guessing at high speed | Fast hashes, no salt, low cost | Argon2id/bcrypt + unique salts + tuned cost |
| Leaked password list | Credential stuffing against login | Only relying on “strong password rules” | MFA, rate limits, bot detection, breached-password checks |
| Targeted employee | Phishing, token theft, MFA fatigue | SMS-only MFA, no device binding | Phishing-resistant MFA (passkeys/security keys), conditional access |
| Internal threat / log access | Finds secrets in logs or config | Logging passwords/tokens, weak secret handling | Redaction, secret managers, short-lived tokens |
One more thing: don’t confuse “hashing” with “encryption.” You encrypt data you need to read later. You hash passwords because you should never need to read them. If your system can “email me my password,” it’s already a mess.
How to beat password crackers (the stuff I actually ship)
Okay, so what do you do Monday morning, not in a whitepaper fantasy?
1) Use the right password hashing algorithm (and configure it like you mean it)
Pick a modern password hash: Argon2id is a strong default; bcrypt is still common and acceptable if configured well. PBKDF2 can be okay in some environments, but you need a high iteration count and you should know why you’re choosing it.
And don’t just “turn it on.” Tune it. I usually aim for a hash time that’s noticeable in benchmarks but not noticeable to users — roughly in the ballpark of 50–200 ms on your production hardware (measure it; don’t guess). If your login endpoint is already slow, you’ll have to balance it, but the point stands: make guessing expensive.
2) Always salt (unique per user), and don’t get cute with it
This should be automatic in your auth library, but I still see hand-rolled systems where someone uses a single global salt in an env var. That’s not the same thing. Unique per-password salts stop attackers from getting “bulk discounts” on cracking.
3) Add a server-side pepper (optional, but I like it)
A pepper is a secret value stored separately from the database (like in a secret manager or HSM). If the DB leaks but the pepper doesn’t, cracking becomes way harder. It’s not a replacement for good hashing; it’s a second lock on the door. (And yes, you need a rotation story.)
4) Stop credential stuffing at the door
This is the part people skip because it’s “ops-y,” but it’s where a lot of account takeovers come from.
What I’ve had good results with:
- Rate limit by IP and by account identifier (email/username). Not just IP, because attackers rotate IPs.
- Progressive delays after failed attempts. A few hundred milliseconds becomes seconds pretty fast.
- Bot detection signals (device fingerprinting, suspicious ASN ranges, impossible travel checks). You don’t need to be perfect; you need to be annoying.
- Breach-password screening at signup and password change (so “Password123!” doesn’t even get accepted). It feels harsh, but it saves you later.
5) Turn on MFA, but pick the kind that doesn’t fold under phishing
SMS MFA is better than nothing, but it’s not where I’d stop if you’re protecting anything valuable. Passkeys (WebAuthn) and security keys are the direction things are going because they’re phishing-resistant. If you’ve never implemented them, it can feel like a lot, but once you see the support ticket volume drop, you’ll be weirdly happy.
6) Treat password resets like a primary auth flow
Attackers love reset flows. Make sure reset tokens are short-lived, single-use, and not logged. And don’t leak whether an email exists in your system via different error messages (that’s just free account enumeration).
7) Monitor like you expect to be attacked (because you will be)
Log failed logins, lockouts, password changes, MFA changes, and new device sign-ins. Alert on spikes. If you can’t see it, you can’t stop it.
And yes: if you’re building something internal and you think “nobody would target us,” that’s exactly the stuff that gets popped first. Attackers don’t care about your feelings. They care about your exposed login page.
So why does everyone get this wrong? Because “hashing” sounds like a checkbox, and it isn’t. It’s a system. And systems have weak links.
If you want to sanity-check how ugly the math gets, I keep a few calculators on ProCalc.ai for quick back-of-the-napkin estimates. Use them as reality checks, not gospel (attackers don’t follow your assumptions politely).
FAQ (stuff people ask me after they watch a crack demo)
Is a long password always safe?
Long helps, but only if it’s not predictable. “CorrectHorseBatteryStaple” (unique and not reused) is way better than “Spring2026Spring2026”. Also: if it’s reused and already leaked, length doesn’t matter much because attackers won’t guess it — they’ll just try it.
If I use bcrypt, am I done?
- You’re in a much better place than fast hashes, yeah.
- But you still need: unique salts (bcrypt handles this), a cost factor that’s not ancient, and defenses against online attacks (rate limits, MFA).
- And you need to rehash on login when you raise the cost later, otherwise half your userbase stays on the old settings forever.
What’s the easiest win if I can only do one thing this week?
Turn on MFA for high-risk accounts (admins, finance, support) and add rate limiting + progressive delays on login. That combo stops a ton of real-world takeovers even if your password policy is mediocre.
Related Calculators
Get smarter with numbers
Weekly calculator breakdowns, data stories, and financial insights. No spam.
Discussion
Be the first to comment!
