Passwords stand as a barrier to accessing your accounts, and this is why cybercriminals are so keen on targeting them. The act of cracking passwords is hugely popular, but there's more than one method that can be used here.

So, in what ways can password cracking be conducted, and can you avoid it?

What Is Password Cracking?

Password cracking is used to uncover users' passwords so that their accounts can be hacked by cybercriminals.

So many of our accounts, such as those used for banking, socializing, shopping, and working, are protected by passwords, so it's no surprise that hackers want to get their hands on this data.

Enter password cracking. Using various methods, malicious actors stand the chance of uncovering your true password, giving them access to your account if they also have your email address or username (which can be worryingly easy to get a hold of).

Depending on the complexity of your password, it could be cracked within anywhere from a couple of seconds to millions of years. Simple passwords are obviously easier to crack, so it's important to structure your password effectively to ward off hackers (which we'll discuss later on).

Over the years, password cracking has diversified into numerous methods—some more successful than others. So, what methods are most commonly used by hackers when cracking passwords?

1. Brute Force Attacks

close up shot of fist in punch shape

Brute force attacks are frequently used by cybercriminals to hack accounts. This cracking method involves running through every possible combination of letters, numbers, or symbols, that may be included in a given password. It is essentially a trial-and-error method, or process of elimination, that continues until the correct phrase is reached.

Brute force attacks are particularly effective on simpler passwords, such as those without a mix of letter cases, or symbols and numbers.

A brute force attack can be completed in less than a minute, though there are many cases in which it would take a lot longer. Some cybercriminals will let the process go on for weeks, months, or even years, depending on how valuable the password is. If the brute force attack is successful, it will land on the correct password, giving the hacker access to whatever they're trying to compromise.

2. Phishing

Phishing is popular cybercrime tactic, and can be used for data theft and the spread of malware. When it comes to password cracking, data theft is the obvious goal of the phishing attack.

Phishing attacks commonly take place via email, SMS, or social media (notably DMs). When login credentials are the target, the attack will often involve the malicious actor sending targets a communication impersonating an official entity.

For example, a scammer could email a victim claiming to be an employee of their chosen bank. In the email, it is typically stated that unusual activity has been detected on their account, and they need to log in online to verify whether it was them. Below the text, a link to the alleged login page will be provided. However, in reality, this is a link to a malicious phishing page designed to look almost identical to an official login page, while also stealing the data you input.

If the victim falls for the scam, they will enter their login credentials on the phishing page, which is then collected by the attacker. At this point, the attacker has the username and password for the victim's account, giving them unauthorized access.

3. Man-in-the-Middle Attacks

person looking through hole in brick wall

As the name suggests, Man-in-the-Middle (MitM) attacks involve a malicious actor placing themselves between a victim and an application or website.

Man-in-the-middle attacks can come in many forms, including:

  • Email hijacking.
  • HTTPS spoofing.
  • HTML spoofing.
  • SSL spoofing.
  • Wi-Fi spoofing.

One form of man-in-the-middle attack involves the malicious operator actively eavesdropping on the interaction between a user and a server. In such a scenario, the attacker will access a network via a weakness, and then scan an application or site for a security vulnerability. When a vulnerability is found, they will target it, and then begin targeting users when they interact with apps and websites through the compromised network.

Then, when the victim enters any kind of data, or receives data from the application, it will be viewable to the attacker. In this case, if they enter a password, it can be retrieved by the attacker. If this data needs to be decrypted, this will be the next step. Now, the victim's data can be used by the malicious operator in whichever way they desire.

4. Keylogging

smartphone with eye on screen chained to padlock
Image Credit: Stock Catalog/Flickr

Keylogging is a data theft method that involves logging every keystroke a victim makes on their device, be it a desktop PC, laptop, tablet, smartphone, or similar.

Keyloggers come in the form of malware; malicious programs used to attack. When a device is infected with a keylogger, the malicious operator can then see everything the victim is typing, which could be emails, payment information, login credentials—or anything really!

So, if you ever log into an account on a device infected with a keylogger, or simply type your login credentials into a notes app or password manager, whatever you enter can be seen. These credentials will then be taken by the attacker and used to access one or more of your online accounts.

You need to know how to detect and remove keyloggers to protect your data if your devices become infected.

How to Avoid Password Cracking

Avoiding password cracking requires a couple of measures, naturally starting with the passwords you use. While it's tempting to use a simple password for all of your accounts, this massively exposes you to password cracking, specifically brute force attacks. Most websites will outline some requirements for password creation, such as mixed case, the use of symbols and numbers, and a minimum length overall.

These are solid parameters to follow, but there are also other things you should avoid, such as using personal information (e.g. birthdays, names, etc.) in your passwords. You should also avoid using the same password for all of your accounts: if your credentials get into the hands of an attacker, they stand the chance of doing even more damage by compromising more than just one account.

On top of refining your passwords, you should also know how to spot phishing communications, as these are also used to steal login credentials. Some signs you should always look out for include:

  • Poor spelling and grammar.
  • An unusual email address.
  • Provided links.
  • Links that a checking site has highlighted as malicious.
  • Overly persuasive/urgent language.

You should additionally consider using two-factor or multi-factor authentication to add an extra layer of security to your accounts. This way, if an attacker attempts to log in using your username and password, you will first have to verify the login attempt from a separate device or channel, such as SMS or email.

Password Cracking Puts Everyone at Risk

There's no doubt that these password cracking techniques threaten the security and privacy of users around the world. Huge amounts of data have already been stolen via password cracking, and there's no saying you won't be targeted. So make sure you know how to steer clear of this malicious venture to keep your accounts safe and secure.