Brute Force Attacks: How Passwords Get Cracked

← Back to Blog

Brute Force Attacks: How Passwords Get Cracked

· 8 min read

The Basic Principle of Brute Force Attacks

A brute force attack is the simplest, most direct password attack method: exhaustively trying every possible character combination until the correct password is found. A 4-character all-lowercase password has only 26^4 = 456,976 possibilities — a regular computer exhausts them in under a second. But as password length increases, the search space grows exponentially, and computational costs rapidly become prohibitive.

Modern attackers rarely use pure brute force because for sufficiently long random passwords, it's practically infeasible. Instead, they use smarter strategies: dictionary attacks, rule-based attacks, credential stuffing, and hybrid attacks. Understanding these methods helps us understand why "complex" but predictable passwords are still easily cracked.

Dictionary Attacks: The Attacker's Most Common Weapon

Dictionary attacks use a pre-prepared word list (a "dictionary") for guessing instead of exhaustive enumeration. This dictionary contains: common passwords ("password", "123456", "qwerty"); ordinary dictionary words; names, place names, brand names; passwords that have appeared in known data breaches. Large dictionaries can contain billions of entries, covering the vast majority of passwords users actually use.

Famous password dictionaries include RockYou (containing 14 million passwords extracted from real breaches), SecLists, and various dictionaries targeting specific languages (Chinese, Spanish, etc.). Attackers usually start with the most likely passwords, ordered by frequency — making dictionary attacks efficient at finding common passwords even within billions of guess limits.

Rule-Based Attacks: Making Dictionary Attacks Smarter

Rule-based attacks apply transformation rules to dictionary entries, greatly expanding attack coverage. Common rules include: capitalizing the first letter (password→Password); appending digits (password→password1, password123); character substitution (a→@, e→3, o→0, i→!); wrapping with symbols (password→!password!); reversing the string (password→drowssap); combining multiple rules (password→P@ssw0rd1).

Hashcat is currently the most powerful password cracking tool, with built-in rulesets containing thousands of transformation rule combinations. This is precisely why passwords like "P@ssw0rd" are immediately recognized despite appearing complex: every rule they follow is in the attacker's toolbox. Truly random passwords are secure precisely because they don't follow any of these rules.

Credential Stuffing: The Butterfly Effect of Data Breaches

Credential stuffing uses username-password combinations obtained from breached sites to attempt logins on other sites. This attack works because large numbers of users use the same password across multiple sites. Attackers purchase breached databases (on the dark web, a database with millions of credentials may cost just a few dollars), then use automated tools to simultaneously attempt logins against thousands of target sites.

In 2019, security researchers discovered "Collections #1-5," a dataset containing 2.2 billion breached credentials. This means if you registered on any compromised site at any point before 2019, your credentials are likely in some attacker's database. The principle of password uniqueness — a different password for every site — is the only effective defense against credential stuffing.

Online Attacks vs Offline Attacks

Password attacks fall into two categories — understanding the difference helps formulate the right defense strategy. Online attacks: the attacker sends guessing requests directly to the login interface over the network. Protected by rate limiting, account lockout, CAPTCHA, and other mechanisms. These attacks can only attempt a few to dozens of guesses per second — only extremely weak passwords are threatened.

Offline attacks: the attacker obtains a password hash database (via a data breach) and cracks it locally with no rate limiting whatsoever. A modern GPU (like RTX 4090) can attempt 60 billion MD5 hashes per second. Offline attacks are the real threat — this is why sites need to use slow hashing algorithms, and why your password must be strong enough to resist offline cracking.

How Improving GPU Power Affects Password Security

Over the past decade, GPU password cracking speeds have increased by about 100×: in 2013, a high-end GPU cracked MD5 at ~6 billion per second; in 2023, an RTX 4090 exceeds 60 billion per second; cloud computing means anyone can rent hundreds of GPUs for cracking. This computing power growth means: password lengths considered sufficient in 2013 may no longer be adequate in 2023.

However, there's an important mitigating factor for this threat: modern password storage algorithms (like Argon2, bcrypt) continue to be strengthened against cracking. By increasing work factors (time cost, memory cost), these algorithms can limit GPU cracking speeds to hundreds of attempts per second, greatly extending cracking time. This is why the choice of password storage algorithm is as important as password strength itself.

Defense Strategies as a User

The most effective defense measures available to users against the above attacks: first, high-entropy and unique passwords — randomly generated, independent per site — which eliminates most threats from dictionary attacks, rule-based attacks, and credential stuffing. Second, enable multi-factor authentication — even if the password is cracked, login is impossible without the second factor. Third, monitor for data breaches — use services like Have I Been Pwned and immediately update affected passwords when breaches occur.

An important realization: password attacks are mostly automated and large-scale, not targeted at specific individuals. Attackers generally won't spend time specifically cracking your password unless you're a high-value target. For ordinary users, simply following basic best practices (strong random passwords, uniqueness, MFA) is sufficient to remain secure against almost all automated attacks.

Try the online tool now — no installation, completely free.

Open Tool →