Home / Blog / The Science of Password Cracking: How Hackers Actu
Security · 15 min read
Published 2026-07-11 · Reviewed by sevi.fun Editorial Team

The Science of Password Cracking: How Hackers Actually Work

An in-depth examination of modern password cracking techniques, the mathematics of password strength, and what the latest research reveals about staying secure in 2025.

Password cracking has evolved from a niche skill into a sophisticated discipline that combines mathematics, computer science, psychology, and specialized hardware. Understanding how password crackers actually work is essential for anyone responsible for designing authentication systems or advising users on password security. This article examines the technical methods used by modern password crackers, presents research on real-world password patterns, and explains what the latest data reveals about creating passwords that resist attack.

The economics of password cracking

Password cracking is fundamentally an economic activity, whether the attacker is a security researcher testing hash strength or a criminal stealing credentials. The attacker invests compute resources (electricity, GPU time, cloud costs) and expects a return (compromised accounts, credential databases, ransomware access). When the expected return exceeds the compute cost, attacking is rational. When the cost exceeds the return, attackers move to easier targets.

The cost of password cracking has plummeted over the past decade. In 2012, cracking an 8-character password using all character types took about $20 in cloud GPU rental and approximately 8 hours. By 2025, the same password can be cracked in under 30 minutes for less than $2 using a cloud GPU instance. Hashcat benchmarks show that a single RTX 4090 GPU can compute 164 billion MD5 hashes per second, 24 billion SHA-256 hashes per second, or 2.4 million bcrypt hashes per second. A cracking rig with 8 GPUs, costing about $15,000 in hardware, multiplies these rates accordingly.

164 billion/sec
MD5 hashes crackable per second by a single RTX 4090 GPU as of 2024, according to Hashcat benchmarks. An 8-GPU rig multiplies this 8-fold.

The password cracking pipeline

Professional password cracking follows a systematic pipeline developed over decades by both security researchers and criminal groups. Understanding this pipeline reveals which password choices actually resist attack and which are merely illusory security.

Phase 1: Hash acquisition

Passwords are stored as hashes, one-way mathematical functions that produce a fixed-length output from any input. When a database is breached, attackers obtain these hashes but not the original passwords. The cracking process is attempting inputs until one produces the target hash. The hash algorithm matters enormously: MD5 and SHA-1 are fast to compute, making them easy to crack. SHA-256 is slower but still feasible. Bcrypt, scrypt, and Argon2 are intentionally slow, designed to make cracking expensive even with massive compute resources.

Modern systems use adaptive hashing algorithms like bcrypt or Argon2 with parameters that can be increased as hardware improves. A 2010 bcrypt cost factor of 10 (about 100ms per hash) would be too fast for 2025 hardware, so modern implementations use cost factor 12 or higher (about 400ms per hash). This adaptivity is the key defense against ever-faster cracking hardware.

Phase 2: Dictionary attacks

The first attack is always a dictionary attack, trying common passwords first. The RockYou breach of 2009, which exposed 32 million plaintext passwords, created the canonical wordlist that crackers still use today. The 2021 Collection #1-5 breach aggregated 2.2 billion unique credentials, creating an even larger dataset. Attackers preprocess these lists to remove duplicates, sort by frequency, and generate variations.

Statistical analysis of real password datasets reveals predictable patterns. The most common passwords are remarkably stable year over year: '123456', 'password', '123456789', '12345678', '12345', '1234567', '123456789', '12345', 'iloveyou', 'princess'. These appear in virtually every breach analysis. Approximately 0.5% of users use '123456' as their password, and the top 10,000 passwords cover about 30% of all users. This concentration means dictionary attacks succeed far more often than brute force would suggest.

Phase 3: Rule-based attacks

Real passwords are rarely dictionary words, but they are usually dictionary words with predictable modifications. Hashcat and John the Ripper support rule-based attacks that apply transformations to wordlists: capitalization (Password), appending digits (Password1, Password123), substituting symbols (P@ssw0rd, Pa$$word), appending years (Password2024), and combining words (correcthorse). Research shows that 70-80% of real passwords can be derived from dictionary words using fewer than 100 common rules.

The Pwned Passwords database, maintained by security researcher Troy Hunt, contains over 600 million real-world passwords exposed in breaches. The servi fun Password Generator recommends checking generated passwords against this database, though since the generated passwords are random 16+ character strings, they will never appear in breach databases.

Phase 4: Mask attacks

Mask attacks exploit the fact that humans create passwords with predictable structures. A typical password might be: one capital letter, three lowercase letters, two digits, one symbol (e.g., 'John23!'). This structure can be expressed as a mask: ?u?l?l?l?d?d?s. Mask attacks try all combinations matching the mask, which is far faster than trying all combinations of all characters. If 80% of passwords match one of 10 common masks, attackers will focus on those masks first.

Analysis of breached password datasets reveals the most common password structures: 8-10 characters, starting with a capital letter, ending with a digit or symbol, containing dictionary words. If your password matches this pattern, it will be cracked quickly regardless of length. The Password Generator on sevi.fun avoids all human patterns by using cryptographically secure randomness.

Phase 5: Markov chain attacks

Markov chains model the probability of the next character based on previous characters, learned from real password datasets. English passwords tend to follow English letter frequencies (e, t, a, o, i, n, s, h, r), so 'th' is more common than 'xz'. Markov chains can generate password candidates that look like real passwords without being in any wordlist, dramatically improving crack rates compared to pure brute force.

Research presented at DEF CON in 2019 showed that Markov chain attacks using 4-gram models trained on the RockYou dataset could crack 60% of passwords in a test set using only 10 billion guesses, compared to 40% for rule-based attacks and 25% for pure brute force. This demonstrates that even passwords avoiding obvious dictionary patterns remain vulnerable to statistical attacks.

Phase 6: Brute force

Pure brute force, trying every possible combination, is the last resort. For 8-character passwords using all character types (94 possible characters), the search space is 94^8 = 6.1 quadrillion combinations. At 164 billion hashes per second (single RTX 4090, MD5), this takes about 37,000 seconds or 10 hours. For 12 characters, the search space is 94^12 = 4.8 x 10^23 combinations, requiring about 92,000 years. For 16 characters, it is 94^16 = 4.4 x 10^31 combinations, requiring about 8.5 billion years. Longer passwords are not just harder to crack, they are effectively impossible to crack with any foreseeable technology.

8.5 billion years
Time to brute force a 16-character password using all character types at 164 billion MD5 hashes per second. The universe is about 13.8 billion years old.

The mathematics of password strength

Password strength is measured in bits of entropy, a logarithmic measure of search space. Each bit doubles the search space. A password with 40 bits of entropy has 2^40 (about 1 trillion) possible values. With 80 bits, it has 2^80 (about 10^24) possible values. The threshold for 'strong' is typically 60 bits, 'very strong' is 80 bits, and 'cryptographically unbreakable' is 128 bits or more.

Entropy calculation depends on how the password was generated. For a truly random password of length L using a character set of size C, the entropy is L times log2(C). For all 94 printable ASCII characters, log2(94) = 6.55 bits per character. So a 16-character random password has 16 times 6.55 = 104.8 bits of entropy. For lowercase only (26 characters), log2(26) = 4.7 bits per character, so a 16-character lowercase password has 75.2 bits of entropy.

Human-generated passwords have far less entropy than their length suggests. Research by Joseph Bonneau at Cambridge analyzed 70 million passwords and found that human-generated 8-character passwords have about 18-30 bits of entropy, not the 52 bits that 8 random characters would provide. This is because humans use patterns: dictionary words, names, dates, keyboard patterns. A human '8-character password' is closer in strength to a 4-5 character random password.

What the latest breach data reveals

The 2024 Verizon Data Breach Investigations Report analyzed 30,000 real-world security incidents and found that 77% of basic web application attacks involved stolen credentials. The most common attack methods were: credential stuffing (using breach credentials across sites), phishing (tricking users into revealing passwords), and password spraying (trying common passwords against many accounts). Brute force cracking of stored hashes, while technically possible, was rare in practice because easier attacks usually suffice.

This data has important implications. First, password reuse is the dominant threat, not weak passwords. A unique weak password is safer than a reused strong password, because breaches expose the strong password and credential stuffing compromises the reused accounts. Second, multi-factor authentication defeats most attacks, because even with the password, the attacker cannot access the account without the second factor. Third, password managers that generate unique random passwords for each site solve both the reuse problem and the weak password problem simultaneously.

The case against mandatory password policies

For years, organizations enforced password policies: minimum 8 characters, must include uppercase, lowercase, digits, and symbols, must change every 90 days. The NIST Special Publication 800-63B, revised in 2017, overturned most of these requirements based on research showing they did not improve security and often made it worse.

The research findings were striking. Mandatory complexity requirements led users to make predictable modifications: 'password' became 'Password1' became 'Password1!' with each forced change. Users wrote passwords on sticky notes, reused passwords across accounts, and forgot passwords frequently. The policies created user friction without meaningful security benefit. The new NIST guidelines instead recommend: minimum 12 characters (length matters more than complexity), no mandatory composition rules, no mandatory periodic changes, screening against known compromised passwords, and support for paste functionality to enable password manager use.

Hardware-accelerated cracking and the future

Password cracking hardware has evolved from CPUs (millions of hashes per second) to GPUs (billions of hashes per second for fast algorithms) to specialized hardware. Application-specific integrated circuits (ASICs) designed for Bitcoin mining can be repurposed for some hash algorithms, achieving trillions of hashes per second for SHA-256. Field-programmable gate arrays (FPGAs) offer flexibility and efficiency for hash cracking. Cloud services rent GPU clusters by the hour, making massive cracking affordable.

The future of password cracking includes quantum computing, which theoretically threatens some cryptographic algorithms via Shor's algorithm. However, password hashing algorithms like bcrypt and Argon2 are resistant to quantum attacks because they rely on one-way functions that quantum computers do not substantially accelerate. Post-quantum cryptography standards are being developed by NIST, but for password storage, current adaptive hashing algorithms remain secure against foreseeable quantum capabilities.

Defending against modern cracking

For individuals, the recommendations are straightforward. Use a password manager to generate and store unique random passwords for each account. The sevi.fun Password Generator creates cryptographically secure passwords using the Web Crypto API, suitable for use with any password manager. Enable multi-factor authentication on all important accounts, especially email, banking, and password manager master accounts. Use a strong master password for your password manager, ideally a passphrase of 4-6 random words that is both strong and memorable. Check your email addresses at Have I Been Pwned to learn about known breaches and change passwords for any compromised accounts.

For organizations, the recommendations are more technical. Use adaptive hashing algorithms (bcrypt with cost factor 12+, scrypt, or Argon2) for password storage. Implement rate limiting on login attempts. Require multi-factor authentication for all accounts, with hardware keys for privileged users. Monitor for credential stuffing attacks. Implement a breach response plan that includes forced password resets when hashes are exposed. Educate users on password managers and provide a recommended tool.

Conclusion

Password cracking is a sophisticated discipline that combines technical methods (dictionary attacks, rules, masks, Markov chains, brute force) with psychological insights (human password patterns) and economic calculations (compute cost versus expected return). The mathematics of password strength show that length matters more than complexity, and that human-generated passwords have far less entropy than their length suggests. The latest breach data reveals that password reuse is the dominant threat, not weak passwords, and that multi-factor authentication defeats most attacks. The sevi.fun Password Generator provides cryptographically secure passwords using the Web Crypto API, running entirely in your browser for maximum privacy. Combined with a password manager and multi-factor authentication, generated passwords provide defense against all foreseeable cracking techniques. As hardware continues to advance and new attack methods emerge, the fundamentals remain: use unique random passwords, enable MFA, and monitor for breaches. The science of password cracking will continue to evolve, but the defenses against it are well-established and accessible to everyone.

References and further reading

  1. NIST Special Publication 800-63B. (2017, revised 2020). Digital Identity Guidelines: Authentication and Lifecycle Management.
  2. Verizon. (2024). Data Breach Investigations Report. 17th annual edition.
  3. Bonneau, J. (2012). The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. IEEE Symposium on Security and Privacy.
  4. Hunt, T. (2024). Pwned Passwords. Have I Been Pwned database, version 8.
  5. Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B. (2009). Password Cracking Using Probabilistic Context-Free Grammars. IEEE Symposium on Security and Privacy.
  6. Komanduri, S., Shay, R., Kelley, P. G., et al. (2011). Of Passwords and People: Measuring the Effect of Password-Composition Policies. CHI Conference.
  7. Hashcat. (2024). Benchmark documentation and GPU performance database.
  8. Electronic Frontier Foundation. (2024). Surveillance Self-Defense: Creating Strong Passwords.

Use our free tools

All 41 premium tools on sevi.fun are free, no sign-up required.

Explore All Tools