How Hackers Crack Passwords and What You Can Do About IT

By Collin Connors, ERMProtect IT Security Consultant

When a password is the only thing standing between hackers and data, you can count on them to capitalize on weak passwords. Let’s peek inside the mind of a hacker trying to compromise your personal or work account to better understand what strategies hackers use to break your passwords.

Common Passwords

First, the hacker will try to use the most common passwords. There are lists that compile the most frequently compromised passwords involved in data breaches. At the top of most of these lists, you will find passwords such as “111111” and “password.”  A hacker will guess each password in this list until they break into your account.

Open Source Intelligence

If you do not use any common passwords, this does not mean your passwords are not vulnerable. Hackers can guess your passwords using Open-Source Intelligence (OSINT). OSINT is any information about you that is readily available online. For example, hackers will scan your social media accounts to find information such as names, key dates, places, or hobbies that you might use in passwords. Hackers will then combine all of these pieces of data to create likely passwords. For example, a hacker might find your pet’s name is Fido and your birth year is 1990 on your social media. The hacker will then guess passwords such as “Fido1990.”

Leaked Passwords

Even if you avoid using personal details in your password, a hacker can crack it. Often people will reuse passwords across multiple sites. Hackers will search for data stolen in previous data breaches to see if your credentials have been leaked before. The hacker will then try that password on your other accounts to try to break in.

Passphrase Exploitation

Hackers also exploit accounts that use similar passphrases. For example, if you use  “PasswordNetflix” for your Netflix account and “PasswordHulu” for your Hulu account. Or “PasswordFall” for one account and “PasswordWinter” for another. Or “Password1” for one account and then “Password2” for another. Hackers know to look for these patterns and use them to break into accounts.

Brute Force

If hackers don’t succeed with these strategies, they can still “brute force” their way into an account. This means they have to guess every possible password. This technique works when users make the mistake of using short passwords and a very narrow set of characters. A hacker needs only about 1 day to crack a seven-character password that contains only numbers and lower-case letters.  This moves up to 40 days when the user includes capital letters. Increasing the number of characters in your password from 7 to 8, will force a hacker to spend almost 7 years trying to crack it.

Password Manager Exploitation

What about password managers? Can they be cracked? A password manager helps you create complex passwords and saves them. While this protects your password on most sites, it also provides a single point of failure. A hacker who cracks your password manager will be able to access all of your accounts. However, if you use a complex, long, random password to secure your password manager, a hacker may find it extraordinarily difficult to hack.

What You Can Do to Protect Passwords

You can avoid the need for a password manager by creating complex, memorable passwords. You can accomplish this by using a system such as Diceware to generate passwords. Diceware works by rolling 5 six-sided dice to generate a word. You can use the generated word to create multiple passwords that are sufficiently long. For example, you might roll the dice three times and get the words “Hunger Starship Genre.” You can then add random numbers and symbols and capital letters into the words to get something like “Hu#n2Ger StarSh!ip4 gen&54RE.” This password only requires a user to remember 3 words but is complex enough that it will take a hacker a decade to crack. More information about this system can be found here (

Another great security strategy is enabling two-factor authentication (2FA). 2FA requires you to present two different types of identification such as a password and a one-time token sent to your phone. So, even if a hacker compromises your password, he will not be able to access your account because he doesn’t have the token.

In Summary

Now that you know how hackers think - and the tactics they use to compromise passwords – let’s review:

  • If you are determined to keep hackers out, use a password of at least 11 characters consisting of numbers, letters, and symbols.
  • The password should not contain any personal information such as key dates or names.
  • The password should not be reused for other sites.
  • If you use a password manager, be sure you use a strong master password or a system such as Diceware to generate random, easy-to-remember passwords.
  • Lastly, enable two-factor authentication so even if a hacker gets lucky and guesses your password, he strikes out.

ERMProtect Can Help You

ERMProtect is a worldwide leader in cybersecurity solutions and forensics with over 25 years of experience. We identify IT vulnerabilities, secure systems, and train employees to recognize when they are being targeted by hackers. ERMProtect arms employees with the tools and security awareness they need to protect themselves and their organizations from cyber attacks. To speak with an expert on our cybersecurity team please call (800) 259-9660 or click here to schedule a free demo.

Get a curated briefing of the week's biggest cyber news every Friday.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

Intelligence and Insights

How Merchants Can Become PCI-DSS Certified

Follow These 4 Steps to Achieve PCI DSS Certification

For all organizations that process payment cards, the Payment Card Industry Data Security Standard (PCI-DSS) certification is high up the data security and compliance priority list …
ai in penetration testing

How Will AI Change Penetration Testing?

There’s a strong application of AI in penetration testing on the horizon, but the future of penetration testing will be a hybrid approach of human brain & AI …
Vetoes Cybersecurity “Safe Harbor” Bill

Florida Governor Vetoes Cybersecurity “Safe Harbor” Bill

Florida Governor Ron DeSantis vetoed HB 473, a bill that would have extended “safe harbor” from data breach litigation to businesses compliant with certain industry-recognized cybersecurity standards …