Five common ways passwords are cracked

It may seem like a method used by master hackers from spy films, but password cracking is real. But How are passwords cracked?


Now the obvious answer is that sophistication computer software deciphers and works out passwords. Which is true, but it’s more in depth than that.

There is an eye-opening amount of different ways to crack a password. Therefore, we thought we’d go through the many different methods:


Dictionary attack


Using data from previous hacking instances, this method uses a bank of words and applies them to the account it’s trying to access.

This is a successful method due to many passwords being weak or extremely predictable. As we revealed in the weakest passwords of 2018, choosing sunshine or qwerty is a bad idea…


Brute force attack


In similar vein to the dictionary method, this goes through a bank of words and then numeric combinations. For example, instead of just using qwerty this method will analyze qwerty123, qwerty1234, qwerty12345 and so on.

To put this into perspective, some brute force attacks analyze and implement over 1 billion passwords when trying to hack into an account.

The effectiveness of these attacks is good, but the timeframe for successfully cracking a password could be weeks, months or even years!



Probably the most recognisable method on this list. Phishing is a technique used to trick a user into revealing their log in information. This can be done through an email attachment, an unsafe link or even through hardware being connected to the user’s device.

If a user does click a link, they are taken to a familiar log in page of a service they would usually use (Emails, social media, banking etc.)


Shoulder surfing


Perhaps the most surprising method of password cracking, and the only that involves physically being next to the victim. Shoulder surfing is the term for simply observing and remembering the password inputted by a user.

But is shoulder surfing an actual thing in the workplace?

‘a 2016 study conducted by Memon and Nguyen found that 73 percent of mobile device users surveyed reported that they had observed someone else’s PIN (although not necessarily with malicious intent)’ Source.

Maybe see how many passwords and pins you unintentionally observe.

Rainbow Table attack


A rainbow table is one of the more sophisticated methods. Here’s a basic overview of what it is and how it is used:


  1. When a password is ‘tried’ against the system. The password is ‘hashed’ so that the person trying to log in can’t trace what the actual password is. So, for example, if the tried password was ‘qwerty123’ the computer hashes the text to become ‘986798yfffghh3635’ and this is then stored in a table of data.

  2. When a correct password is used to log in, the system compares this hash to the original entry stored in the system. Because they match, the user is granted access.

  3. A rainbow table is a preformulated list of alphanumeric hashed passwords. A hacker will use these to find a match to find the correct hashed entry stored on the device.

  4. The interesting point here is that unlike using a brute force attack, the hashed entry doesn’t have to match the password. It just must match the entry it created to match the correct password. This means hackers can get access quicker than previous methods.



Login information is being accessed and stolen daily, it’s important that your data is properly protected. Make sure you have processes in place to regularly update passwords and evaluate security risks.

If you’d like to learn about how we can improve your Computer Security or get you Cyber Essentials qualified, then please get in contact with us on 02920 887 362 or send us an email at

← Back to the blog


Leave a Reply

Your email address will not be published. Required fields are marked *

fourteen + 15 =

Let’s stay in touch! We send out a weekly email
full of free IT tips, Cyber Security help and much more.

Email address:

Sign up for the latest IT news and Cyber Security tips!

Email address:

Excellence IT